During the last days, a researcher discovered that the SafeBrowse Chrome extension is using the computer of its users to mine Monero (an alternative crypto currency similar to Bitcoin). With over 140000 users - most likely, this is the most popular (and probably the first one) Chrome extension mining a cyrpto currency without users’ consent. it is not the only one …

We are proud to announce the release of HOL-TestGen 1.9.1 HOL-TestGen is a formal specification-based test environment HOL-TestGen that allows to have a seamless transition from verification to test case generation using symbolic computation in Isabelle/HOL.

Cross-platform frameworks, such as Apache Cordova, are becoming increasingly popular. They promote the development of hybrid apps that combine native, i.e., system specific, code and system independent code, e.g., HTML5/JavaScript. Combining native with platform independent code opens Pandora’s box: all the the security risks for native development are multiplied with the security risk of web applications.

We are proud to announce the release of HOL-TestGen 1.9. HOL-TestGen is a formal specification-based test environment HOL-TestGen that allows to have a seamless transition from verification to test case generation using symbolic computation in Isabelle/HOL.

On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality (e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties. The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a “juice target” for attackers targeting web users.

Missed our AppSecEU talk on the security risk of browser extensions? or do you want to learn what happened during the last months? Your are lucky! We will give an updated version of our talk next weekend at the SteelCon conference in Sheffield! Update: you can also watch the recording of our talk!.

More and more devices of our daily life are “smart:” ranging from smart light bulbs to smart TVs to smart fridges - everything can, and most likely will be, in the future connected to the Internet. More and more people are already used to remotely controlling their heating at home using their smart phone.

Cross-platform frameworks, such as Apache Cordova, are becoming increasingly popular. They promote the development of hybrid apps that combine native, i.e., system specific, code and system independent code, e.g., HTML5/JavaScript. Combining native with platform independent code opens Pandora’s box: all the the security risks for native development are multiplied with the security risk of web applications.

If you want to learn more, visit our talk at the OWASP AppSecEU in Belfast. Update: you can also watch the recording of our talk!.

On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality (e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties. The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a “juice target” for attackers targeting web users.

If you want to learn more, visit our talk at the OWASP AppSecEU in Belfast. Update: you can also watch the recording of our talk!.