(Although Content-Types are not a CSRF Protection Mechanism)

About two years ago, Eduardo Vela pointed out that the Navigator Beacon API can be used to exploit “accidentally-CSRF safe” websites. Philip Olausson and I recently noticed Chrome 59, which just shipped, addressed this behavior and we investigated a Flash bypass.

First, some background. A number of RESTful web applications out there assume that certain Content-Types, such as application/json, can only be encoded with a XHR request. To make a cross-origin XHR request, a browser sends preflight requests to retrieve CORS information and verify permissions. …


Update: We’re happy to announce that our session has been accepted at BlackHat USA 2017. Hope to see you there! We will speak in detail about the inner workings of iCloud keychain and the OTR vulnerability.

Longterm Security, Inc. offers consulting services and training to help companies build, ship, and run secure software. You can contact us on our website or by email.


While reviewing attack surfaces on iOS for potential sandbox escapes, we uncovered a critical flaw in a custom Off-The-Record implementation relied upon by iCloud Keychain Sync in addition to a memory trespass error (CVE-2017–2451). The flaws were…

There’s a clever and wildly successful Gmail phishing campaign going around that seems to have affected very many people. It abuses 3-legged OAuth to gain access to accounts and spread. Here’s a video from Josh Humann “of what that gmail phishing attempt looked like if you clicked on it” — @manumit

Image for post
Image for post
Click to see the video from @manumit

Once attackers get into an account, they have full privileges to find more contacts and throw the attack to. If you’re worried about your own account having been compromised you can manage your account’s OAuth settings here , and remove the fake Google Docs App.

#0. Go passwordless

In 2016, well over 500 million password credentials leaked (see https://haveibeenpwned.com/) and the number only continues to grow each year. Passwords alone are arguably no longer an adequate security mechanism for protecting PII without best practices such as multifactor authentication with universal two-factor or temporal one-time codes.

You can actually design your product to avoid passwords altogether so there’s no password material to protect in the first place. This also mitigates the impact of other breaches on your users’ passwords. …

At Longterm Security, we provide training for organizations looking to build up or improve their in-house Security Operations capabilities. Our other trainings include offensive security training which focuses on reverse engineering, vulnerability discovery, and bypassing exploit mitigations.We also have defensive security training for security design reviews, secure coding and testing methodology.

We’d like to point out that in-house only Security Operations is not the only way to go. Upon request, there are a number of Managed Security Service Providers (MSSPs) that we can recommend for organizations looking to outsource their security monitoring and threat hunting to experts. …

Many startups, organisations, and larger enterprises today use the G Suite for their business productivity. The G Suite offers email services, calendars, collaborative document creation, file sharing, video conferencing and more. G Suite can also help manage the business IT infrastructure with MDM and SAML support. It puts much of the business activity in the cloud and makes it all available through the web browser.

As with most business Apps, there are some security risks, so Google takes security seriously and has been steadily improving the security features and APIs available for administrators to manage their data. In fact, the…

Over the years there have been numerous high-profile attacks that have compromised accounts hosted on Google Mail or the G Suite. There are some highly effective measures that can be taken to help prevent these scenarios. And the most important tip is probably…

Enforce Multifactor Authentication to Protect from Phishing

Phishing is both the most common and also one of the most effective techniques in attacker playbooks. So when it comes to the G Suite, phishing is without question the #1 risk for organisations, since so much business data can be accessed from anywhere on the internet with only one set of credentials.

Every organisation on G…

Alex Radocea

Cofounder at Longterm Security, Inc. contact+medium@longterm.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store