10 Feb 2024
Client side security is a niche tech field that seems to be unneeded for the most part. As someone who's very passionate about it, that's something that's hard for me to accept. After Shubham Shah addressed this topic in his tweet, I elaborate into the mixed feelings I have with this field, as well as present my take on the industry and most importantly, strongly argue why I think client side security isn't dying - but in fact is more crucial now than was ever before.
21 Jan 2024
Debunking a recently published academic paper on browser wallets security proving browser wallets like MetaMask are in fact secure
14 Nov 2023
Best way to prevent someone from researching and debugging your malicious code? Probably by just crashing it! This was possible up until recently, learn more
03 Oct 2023
In 2023 on behalf of the MetaMask LavaMoat security team we have presented to W3C about the same origin concern and how we recommend addressing it
28 Sep 2023
This document focuses on the βsame origin concernβ, describing the lack of control apps have over new realms that rise under their own origin, as well as its implications on their safety, how current efforts to address it fail and what browsers can do to help ship a secure and performant solution for the problem
03 Aug 2023
Today marks a big day in the life of Snow βοΈ, where we come to the mature realization that in order for the project to stop chasing defensive security it has to take some bold steps at the cost of adoption and functional behaviour. Here, I attempt to lay out the process of trying, failing and learning the hard truth the hard way, and what should be our steps forward to find real security for same origin realms.
27 Jul 2023
The JavaScript prototype chain is complicated and hard to study, so shouldn't there be an online tool for that already?
14 Jul 2023
A series exploring the JavaScript security stack of the MetaMask browser wallet (part 3 - LavaMoat Snow)
07 Jul 2023
A series exploring the JavaScript security stack of the MetaMask browser wallet (part 2 - LavaMoat Snow)
30 Jun 2023
A series exploring the JavaScript security stack of the MetaMask browser wallet (part 1 - LavaMoat scuttling)
23 Jun 2023
An interesting edge case of DOM Clobbering when using a number instead of a string
10 Apr 2023
A stored XSS in Snyk Advisor (domain:snyk.io) allowed me to fabricate the health score granted for packages in my control, which I leveraged into making it seem as my "malicious" package is in fact healthy, popular and legitimate, which could have served an attacker to convince others to install an actual malicious npm package.
09 Apr 2023
A stored XSS in Snyk Advisor (domain:snyk.io) allowed me to fabricate the health score granted for packages in my control, which I leveraged into making it seem as my "malicious" package is in fact healthy, popular and legitimate, which could have served an attacker to convince others to install an actual malicious npm package.
04 Jan 2023
Introducing Snow JS, a JavaScript security tool for securing same origin realms as part of the MetaMask LavaMoat security toolbox
19 Nov 2022
Let's understand realms security
18 Nov 2022
Here's why our very own Snow JS, a browser security technology, should be integrated into the MetaMask browser extension. We explain the problem of supply chain attacks and how LavaMoat, a technology used by MetaMask, provides a layer of defense against such attacks. However, LavaMoat's protection is limited to the main realm, and Snow is proposed as a tool to extend this protection to all child realms. Snow aims to provide a second layer of security to enhance the app's defense against supply chain attacks.
28 Oct 2022
Realms are an old concept in the JavaScript ecosystem, but with the rise of supply chain types of attacks realms became a powerful tool for attackers to bypass well known browser runtime security tools. In order to address this concern, we first must understand - what is a realm in JavaScript?
01 Sep 2021
Abusing the Chromium Devtools Scope Pane can allow execution of Javascript by the devtools while the main thread is paused by the debugger. A walk through a very interesting discovery that JavaScript security researcher should very much be aware of.
18 Jul 2021
Today I share my "side project" for the past year, three browser javascript security libraries that aim to perform as tools for creating web apps that are more resilient to and limiting of unwanted code execution such as XSS and javascript supply chain attacks - This is my contribution attempt to the JavaScript security ecosystem!
02 Sep 2020
This is the story of how I found and helped Google patch a vulnerability in Chrome browser that could have allowed attackers to fully bypass CSP rules since Chrome 73 (March 2019), and how researching it taught me that today's CSP mechanism design is the reason no one uses CSP correctly and therefore many of the biggest websites in the world are exposed to this vulnerability.
14 Feb 2020
WhatsApp Vulnerabilities Disclosure - Open Redirect + CSP Bypass + Persistent XSS + FS read permissions + potential for RCE! A super critical vulnerability discovery and breakdown to learn from and be aware of. Here's how it looks like when a highly used b2c product leaves so many users so vulnerable to a number of client side vulnerabilities.
18 Dec 2019
Abusing SourceMappingURL feature can allow attackers to create one of the strongest Cross Browsers Javascript Anti Debugging techniques that was ever seen. In this post I walk through the discovery and explain why this finding is so powerful and important to be aware of.