Skip to main content

Posts

Showing posts from 2018

HTML Core Obfuscator

It's time for HTML of the future to give us the ability to obfuscate data in-memory. If password fields were stored as obfuscated values, then there would be a very low chance of a password recovery by any person or any exemplary skill. Plus, we wouldn't have to rely upon client-side JS to do hash obfuscation.

I suggest a simple extension to the input form element:

[ input type='password' obfuscator='sha512;salt=FooFooFoo' ]

We would define our own salt, or no salt, to keep the hash consistent (homomorphic) across creation and challenge.

This can be done with JS but it doesn't prevent malicious adware JS from exploring the DOM and getting the "value()" property of an input element that is named "password".

Pretty please?


Not So Safe Safelinks

Today I got a phishing email for my gatech account. It was nothing special and easy to identify as phishing. So why blog about it? Because today I decided to test out safelinks. Why not, right? It's Microsoft, and they make a habit of telling me that I should use Edge because it is safer than Chrome and Firefox.

I clicked on the safelink that was hosted on eur03.safelinks.protection.outlook.com and it opened in Edge. Wait, why did I have to hit a European safelink server Microsoft, if I am in the USA? I don't remember authorizing you to do that, but then again, who cares about us in the US.

The safelink redirected successfully to logins.gatech.com which is a shameless phishing site. It pulls resources from gatech.edu but has a self hosted JS file that has the same URL path as the one in the buzzport login page. It's a clever phish and it would likely defeat most users.

So that made me mad. I put on my Cyber cape and started to dig. The IP is hosted on AWS:

Name:    login.g…