Zoom Security Exploit - Cracking private meeting passwords - Tom Anthony

2020/07/29 10 users

Short version: Zoom meetings were default protected by a 6 digit numeric password, meaning 1 million maximum passwords. I discovered a vulnerability in the Zoom web client that allowed checking if a password is correct for a meeting, due to broken CSRF and no rate limiting. This enabled an attack... 続きを読む

XSS attacks on Googlebot allow search index manipulation - Tom Anthony

2019/07/19 8 users

Short version: Googlebot is based on Google Chrome version 41 (2015), and therefore it has no XSS Auditor, which later versions of Chrome use to protect the user from XSS attacks. Many sites are susceptible to XSS Attacks, where the URL can be manipulated to inject unsanitized Javascript code int... 続きを読む

Googlebot's Javascript random() function is deterministic - Tom Anthony

2018/02/07 22 users

I was conducting some experiments on how Googlebot parses and renders Javascript, and I came across a couple of interesting things about the way it does so. The first is that Googlebot’s Math.random()... 続きを読む