Posts List

Your Signal messages can leak via locked screen on macOS

If you are a security aware person, you probably use one of the secure messengers. 😏 And maybe to improve your comfort you installed its desktop version on your mac? Sometimes we leave our computer unattended when we go to make a coffee or we need to talk with somebody in the other room. Since we are security aware, we always lock our screens (you do that, right?). But what if all messages sent to you will be visible on your locked mac?

'The biggest' *OS problem in 2018

It’s March 2018 when I’m writing this post. From day to day, Apple’s security is improved - we have Kernel Patch Protection, Secure Enclave Processor (now even on macOS with Touch Bar), GateKeeper and many other security features. On the other hand, only in the last half of the year some trivial bugs were found that led to password disclosure. It’s seems like password leaks may be currently the most serious, from PR perspective, *OS problem.

FreePlane <= 1.5.9 XXE

What FreePlane is? FreePlane is an open-source application intended for creating mind maps. Vulnerability descripton: FreePlane is Java-based app that loads its mind maps that are stored as a simple XML files. The parser allowed to expand external entities that caused this vulnerability. Results: When victim opens maliciously crafted mind map, any accessible by Java file can be sent to the attacker. Proof of concept: Malicious mindmap: <map version="freeplane 1.