[FD] mobile.facebook.com is not on HSTS preload list or sending the Strict-Transport-Security header

2016-01-20 Thread Ricardo Iramar dos Santos
Hi All, I've noticed that mobile.facebook.com domain is not on HSTS preload list or sending the Strict-Transport-Security header. All the others domains like m.facebook.com is using HSTS properly. I reported this to Facebook on 12/3/15 through the whitehat program and got the answer below. I've ch

[FD] IE11 is not following CORS specification for local files

2016-09-27 Thread Ricardo Iramar dos Santos
IE11 is not following CORS specification for local files like Chrome and Firefox. I've contacted Microsoft and they say this is not a security issue so I'm sharing it. >From my tests IE11 is not following CORS specifications for local files as supposed to be. In order to prove I've created a malici

Re: [FD] IE11 is not following CORS specification for local files

2016-10-11 Thread Ricardo Iramar dos Santos
r1.send(); }; xhr0.onerror = function() {alert('Woops, there was an error making the request.'); }; xhr0.send();}<\/script><body onload=\"makeCorsRequest()\"><\/body><\/html>"]); window.navigator.msSaveBlob(blob, 'testFile.htm'); }

Re: [FD] IE11 is not following CORS specification for local files

2016-10-11 Thread Ricardo Iramar dos Santos
%3E%3C%5C%2Fbody%3E%3C%5C%2Fhtml%3E%22%5D%29%3B+++window.navigator.msSaveBlob%28blob%2C+%27giftcard.htm%27%29%3B%7D%3C%2Fscript%3E On Wed, Oct 5, 2016 at 4:51 PM, Ricardo Iramar dos Santos wrote: > I did a small improvement in this attack. > Using IE File API > (https://msdn.microsoft.

Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

2014-04-08 Thread Ricardo Iramar dos Santos
How about this one? http://filippo.io/Heartbleed/ On Tue, Apr 8, 2014 at 8:59 AM, Jann Horn wrote: > On Tue, Apr 08, 2014 at 10:23:26AM +0200, Joerg Mertin wrote: > > Ubuntu already has released: > > http://www.ubuntu.com/usn/usn-2165-1/ > > > > My server updated during the night :} > > Make s

Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

2014-04-11 Thread Ricardo Iramar dos Santos
malicious intention to include this bug. Anyway, I was thinking wrong since we have the reason on the RFCs. Thanks Ricardo Iramar On Fri, Apr 11, 2014 at 12:09 AM, Ricardo Iramar dos Santos < rira...@gmail.com> wrote: > Reading this post > http://vrt-blog.snort.org/2014/04/heartb

[FD] Reflected File Download in AOL Search Website

2015-02-18 Thread Ricardo Iramar dos Santos
Oren Hafif reported a new kind of attack called Reflected File Download ( https://www.blackhat.com/eu-14/briefings.html#reflected-file-download-a-new-web-attack-vector) in Black Hat Europe 2014 conference. More details about the attack you can found in his public presentation: https://www.blackhat.

Re: [FD] Reflected File Download in AOL Search Website

2015-03-01 Thread Ricardo Iramar dos Santos
he AOL users and how they could be affected with this security issue. I could not measure what could be worse live quiet with the problem or take a risk to disclosure. Now I'm sure that specific problem was solved. :) On Mon, Feb 16, 2015 at 2:13 PM, Ricardo Iramar dos Santos < rira...@gma