Summary

Below are a collection of the more interesting security investigations/issues I have worked on / discovered over the years (that have been made public) that did not scale out to be projects by themselves (like onionscan or evoting)

Quiet - Arbitrary File Write (leading to code execution) - September 2023

A malicious client could change the name `fileMetadata.name` attribute and when a client downloads the file it will happily use that name when deciding where to write the file i.e. if the name contains `../../` it will escape the `downloads` folder and write to any arbitrary directory.

This happened because the download file path is resolved to `${path.join(downloadDirectory, fileName)}`which allows path traversal because '/' chars in filename metadata is permitted.

File writes appeared to be completely unrestricted, and I wrote a simple PoC that escalates this to code execution (because an attacker can simply overwrite startup scripts, or shared libraries, or anything else).

(Note that even on platforms where writing outside of config is more difficult e.g. mobile, this vuln would be enough to likely cause deanonymization as config files / caches are clobber-able - and I suspect that ACE wouldn't be too difficult even in that restricted context)

This flaw was reported privately to Quiet team September 2023 and was patched within a week.

Obsidian - Malicious Websites can access internal Obsidian URIs - December 2022

This flaw allowed any websites dropped into an Obsidian Canvas to add/delete/modify any file in the loaded vault. Creation of files is limited to .md files, but editing includes .canvas files. Because open and new URIs auto-open files in Obsidian this allows a single corrupted website to effectively chain spawn multiple malicious URI processes.

  • Disclosure / PoC

    • Thunderbird Decryption Oracle - August/September 2022

    I recently disclosed several security and privacy vulnerabilities in Thunderbird. At worst these vulnerabilities can by exploited by an adversary with access to a collection of intercepted encrypted messages to trick Thunderbird into decrypting any given message and sending the resulting plaintext back to the adversary. This attack worked with Thunderbird default configuration, i.e. even when load remote resources are disabled

  • CVE-2022-3033 - Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
  • CVE-2022-3032 - Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
  • CVE-2022-45412 - Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote contentA
  • PoC Writeup

    • Flaws in Smart Toys Marketed to Children - December 2017

    In 2017 I was contracted to conduct research into the security and privacy of connected toys for children.

  • A Cute Toy Just Brought a Hacker Into Your Home - New York Times
  • Assessment of the Privacy and Security of Smart Toys Marketed to Children (Redacted Version - Mirror)

    • Github - Profile Email Address not Validated - November 2015

  • Github Bug Bounty Page: Profile email address not validated

    • Home