English

❗️Disclosure: I work at Pitch since December 2021. This write-up aggregates public knowledge previously shared by third parties (e.g., security firms, infosec community, etc.) or us. I hope this can be helpful for younger security teams that need to understand how to identify and mitigate phishing abuses for the first time. Threat model When you work in the startup ecosystem long enough, you learn that company cybersecurity risks are not only related to IT failures or the OWASP Top 10 but also to reputation. It doesn’t matter if your infrastructure is solid and redundant, if your engineers follow best practices, if you have real-time monitors and alerts in place, or if you implement other good practices: if stakeholders don’t trust your security standards, you are not secure in their eyes. This is why startups and companies invest money and time into security certifications like ISO 27001 or SOC 2 Type 2 (though this is a controversial topic, and I have strong opinions on it, I won’t delve into that now). ...

❗️Disclosure: I worked at Smallpdf from January to November 2021. In that period, Smallpdf used PDFTron WebViewer SDK (now Apryse PDF WebViewer) to render PDF files in the browser. This information was public. Interview and first XSS in PDFTron WebViewer In October 2020, I started my job interview with Smallpdf for a Cloud Security Engineer position. During the interview process, I began to use Smallpdf as a service to “play” with it, and being a web application that renders PDF files, I tried to exploit PDF files to inject arbitrary Javascript code. ...

Italy is facing dark days because of coronavirus and there is a lot of disinformation about this topic, especially on messaging apps and social networks (the journalist Jane Lytvynenko is collecting and debunking a large number of fake news about COVID-19). Last week (03/12) China sent a team of doctors and equipment for Italian hospitals, a part of which Italy will pay for. The Chinese Embassy in Italy reported the news on Twitter and – during these particular days – their Twitter account is particular active. Their tweets have generated many retweets, likes and positive replies – many thanks from Italian people – because coronavirus is a world issue and people are scared. This is the bright side of it, but there is another side: many tweets and reactions seem to have been created by bots or suspicious accounts, usually with few tweets, no profile pic, absolutely pro Chinese government and anti USA. If you try to reply in a negative way to the Chinese Embassy in Italy (@AmbCina), you will probably receive this message from some users: nmsl, Chinese slang that stands for “Your mom is dead”. ...

During last spring (2019) I started to “open and read” the Android applications before installing them. Reversing an APK file can be interesting to understand how an app works, how it manages the permissions and my data, if there are vulnerabilities. I was looking for a different Android mail client, so I started to reverse them and I found many mail clients on Play Store were - maybe are - vulnerable to Javascript injection. I found eight important apps vulnerable to cross-site scripting: Newton Mail 10.0.23, Nine Email 4.5.3a, Blue Mail 1.9.5.36, Edison Email 1.7.1, Email TypeApp 1.9.5.35 and Spark 2.0.2 + two apps I can’t disclose now. In April and May 2019 I wrote to vendors of these apps, but only someone replied to me. ...

Some days ago the journalist Charlotte Godart contacted me and asked me to explain how to use my script tweet_analysis.py. Her goal was to convert Twitter datasets about Chinese propaganda into graphs, so that people can see how the Chinese government operates on Twitter to influence their opinion. While helping her I had the possibility to take a look at these datasets and they are intriguing, very different from the Internet Research Agency dataset. My unconfirmed theory is that the Chinese government bought some bots and fake accounts from third-party companies. China has a strong power on national internet services such as TikTok or WeChat (e.g. filters, censorship), not so much on external services, though, for now. I think this situation will change quickly. ...