Tags:


Is client side security dead - or a crucial part of the future?

Client side security is a niche tech field that seems to be unneeded for the most part. As someone who's very passionate about it, that's something that's hard for me to accept. After Shubham Shah addressed this topic in his tweet, I elaborate into the mixed feelings I have with this field, as well as present my take on the industry and most importantly, strongly argue why I think client side security isn't dying - but in fact is more crucial now than was ever before.

MetaMask Wallet Security Threat Model - The Browser's Prespective [𝕏]

Debunking a recently published academic paper on browser wallets security proving browser wallets like MetaMask are in fact secure

Javascript Anti Debugging - Crashing the Devtools [𝕏]

Best way to prevent someone from researching and debugging your malicious code? Probably by just crashing it! This was possible up until recently, learn more

The Same Origin Concern - presenting to W3C [𝕏]

In 2023 on behalf of the MetaMask LavaMoat security team we have presented to W3C about the same origin concern and how we recommend addressing it

The Same Origin Concern

This document focuses on the β€œsame origin concern”, describing the lack of control apps have over new realms that rise under their own origin, as well as its implications on their safety, how current efforts to address it fail and what browsers can do to help ship a secure and performant solution for the problem

Snow stops playing nice - security first at the cost of everything else

Today marks a big day in the life of Snow ❄️, where we come to the mature realization that in order for the project to stop chasing defensive security it has to take some bold steps at the cost of adoption and functional behaviour. Here, I attempt to lay out the process of trying, failing and learning the hard truth the hard way, and what should be our steps forward to find real security for same origin realms.

Proto Tree 🌳 - A Way to Observe the JS Prototype Chain [𝕏]

The JavaScript prototype chain is complicated and hard to study, so shouldn't there be an online tool for that already?

MetaMask JavaScript Security Stack (Part 3 - Snow) [𝕏]

A series exploring the JavaScript security stack of the MetaMask browser wallet (part 3 - LavaMoat Snow)

MetaMask JavaScript Security Stack (Part 2 - Snow) [𝕏]

A series exploring the JavaScript security stack of the MetaMask browser wallet (part 2 - LavaMoat Snow)

MetaMask JavaScript Security Stack (Part 1 - scuttling) [𝕏]

A series exploring the JavaScript security stack of the MetaMask browser wallet (part 1 - LavaMoat scuttling)

DOM Clobbering - but with numbers?! [𝕏]

An interesting edge case of DOM Clobbering when using a number instead of a string

CVE-2023-1767 - Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score

A stored XSS in Snyk Advisor (domain:snyk.io) allowed me to fabricate the health score granted for packages in my control, which I leveraged into making it seem as my "malicious" package is in fact healthy, popular and legitimate, which could have served an attacker to convince others to install an actual malicious npm package.

CVE-2023-1767 - Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score [𝕏]

A stored XSS in Snyk Advisor (domain:snyk.io) allowed me to fabricate the health score granted for packages in my control, which I leveraged into making it seem as my "malicious" package is in fact healthy, popular and legitimate, which could have served an attacker to convince others to install an actual malicious npm package.

Introducing Snow ❄️ [𝕏]

Introducing Snow JS, a JavaScript security tool for securing same origin realms as part of the MetaMask LavaMoat security toolbox

Realms Security [𝕏]

Let's understand realms security

Integrating Snow ❄️ into MetaMask 🦊

Here's why our very own Snow JS, a browser security technology, should be integrated into the MetaMask browser extension. We explain the problem of supply chain attacks and how LavaMoat, a technology used by MetaMask, provides a layer of defense against such attacks. However, LavaMoat's protection is limited to the main realm, and Snow is proposed as a tool to extend this protection to all child realms. Snow aims to provide a second layer of security to enhance the app's defense against supply chain attacks.

What is a realm in JavaScript?

Realms are an old concept in the JavaScript ecosystem, but with the rise of supply chain types of attacks realms became a powerful tool for attackers to bypass well known browser runtime security tools. In order to address this concern, we first must understand - what is a realm in JavaScript?

Javascript Anti Debugging - Abusing Chromium Devtools Scope Pane

Abusing the Chromium Devtools Scope Pane can allow execution of Javascript by the devtools while the main thread is paused by the debugger. A walk through a very interesting discovery that JavaScript security researcher should very much be aware of.

My contribution attempt to the browser javascript supply chain attack problem

Today I share my "side project" for the past year, three browser javascript security libraries that aim to perform as tools for creating web apps that are more resilient to and limiting of unwanted code execution such as XSS and javascript supply chain attacks - This is my contribution attempt to the JavaScript security ecosystem!

CVE-2020-6519 - Chromium 83 Zero Day Full CSP Bypass Cross Platforms

This is the story of how I found and helped Google patch a vulnerability in Chrome browser that could have allowed attackers to fully bypass CSP rules since Chrome 73 (March 2019), and how researching it taught me that today's CSP mechanism design is the reason no one uses CSP correctly and therefore many of the biggest websites in the world are exposed to this vulnerability.

CVE-2019-18426 - WhatsApp Vulnerabilities Disclosure - Open Redirect + CSP Bypass + Persistent XSS + FS read permissions + potential for RCE

WhatsApp Vulnerabilities Disclosure - Open Redirect + CSP Bypass + Persistent XSS + FS read permissions + potential for RCE! A super critical vulnerability discovery and breakdown to learn from and be aware of. Here's how it looks like when a highly used b2c product leaves so many users so vulnerable to a number of client side vulnerabilities.

Javascript Anti Debugging - Abusing SourceMappingURL

Abusing SourceMappingURL feature can allow attackers to create one of the strongest Cross Browsers Javascript Anti Debugging techniques that was ever seen. In this post I walk through the discovery and explain why this finding is so powerful and important to be aware of.