Yellow Flag  

@WPalant

Wladimir Palant, software developer and security researcher, browser extensions expert. He/him

Cologne, Germany
palant.info
Joined July 2018
134 Photos and videos Photos and videos

Tweets

You blocked @WPalant

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @WPalant

  1. Pinned Tweet
    Aug 2

    Probably not surprising but the browser extension “Keepa – Amazon Price Tracker” is keeping close track on your shopping behavior. What makes this case particularly notable is its privacy policy which claims otherwise.

    1 retweet
    Undo
  2. Retweeted
    23 hours ago

    For the past few months, and I have been investigating bullying allegations against Deepmind cofounder Mustafa Suleyman. We unearthed a trail of secret cash settlements, boardroom tensions, and despair at his promotion to Google’s top team.

    5 replies 127 retweets 297 likes
    Show this thread
    Show this thread
    Undo
  3. Retweeted
    15 hours ago

    Researcher dives into the “Keepa – Amazon Price Tracker” and shows how this browser extension extracts data from Amazon sessions but also loads various Amazon pages in the background

    5 retweets 8 likes
    Undo
  4. Aug 2

    First-time submission to Google’s Developer Data Protection Reward Program. Looking forward to seeing how that goes, particularly given that I already published my findings and merely need Google to act.

    1 like
    Undo
  5. Jul 21

    More details in the thread here. Grindr gave location data to third parties which was detailed enough to be associated with a priest and to out him as gay. Yet they keep claiming that this is “infeasible from a technical standpoint.” Yeah, sure…

    New: the inevitable weaponization of app data is here. Grindr gives location data to third parties, broker gives it to Catholic publication, outlet uses that to track and out priest as potentially gay without consent. This is not theoretical; real threat
    Show this thread
    Show this thread
    Show this thread
    Undo
  6. Jul 21

    Huge surprise! Yes, claims that data is being “anonymized” are usually merely a lame excuse. Given enough data, de-anonymization will often be possible. And that’s especially the case for highly sensitive data like movement profiles.

    The fact that supposedly anonymized, aggregated data collected by Grindr could still be used to identify an individual user is something that should concern us all (H/T )
    1 reply 2 retweets 1 like
    Show this thread
    Show this thread
    Undo
  7. Retweeted
    Jul 12

    if you fuck over enough people, eventually they will start talking to one another. if you REALLY fuck over enough people, when they start going public, others will start coming out with their stories too

    Wow Viss is a much bigger asshole than I knew. So many similar stories. Quite a few people agreed to publicly share their DMs as long as I took their names off. So this thread will probably keep going for a while. If you have stories, my DMs are open! Let’s get it started:
    Show this thread
    4 replies 55 retweets 407 likes
    Show this thread
    Show this thread
    Undo
  8. Jul 13

    I finally came around to disable the store listings for my Google Search link fix extension. I’ve had no time for it for quite a while already, but I meant to fix a few bugs first. Now I just accepted that this is not going to happen.

    1 like
    Undo
  9. Jul 13

    came into effect three years ago already. Don’t you want to check what data you have stored in violation to this law and remove it? I mean, before you leak more of it.

    1 like
    Show this thread
    Show this thread
    Undo
  10. Jul 13

    Their autoreply mentions the “new data protection policy.” Yes, it has been merely three years. Not nearly enough time to get accustomed with it of course.

    1 reply
    Show this thread
    Show this thread
    Undo
  11. Jul 13

    notified me of their breach – and of the fact that they are violating . The one order nine years ago was done without creating an account, so they have no legal ground for keeping my data through all these years. At least all the data they have is outdated.

    1 reply 2 retweets 1 like
    Show this thread
    Show this thread
    Undo
  12. Jul 12

    Wow, a solid quarter of my followees are apparently following a guy who credits himself with other people’s work. All while harassing others for allegedly stealing *his* work. I for my part have blocked the account. I don’t want to accidentally retweet or like his tweets.

    Replying to @usrbinpikachu @mx0x20wednesday and 2 others
    I talked to someone there later about that pentest who was like "I didn't know you were involved in that." My naive ass thought he was like...respecting his NDAs It never occurred to me that Viss had taken my name off the report and taken credit for the work. Who does that?
    1 like
    Undo
  13. Jul 8

    I’ve also had my share of user complains about npm audit reporting hundreds of issues without impact to my project. I’ve also wasted time upgrading dependencies for no other reason but to silence these warnings. The issue is real, currently npm audit is clearly not helping.

    📝 npm audit: Broken by Design
    Show this thread
    Undo
  14. Jul 7

    Saw a fancy hashing algorithm in a browser extension: for (char in string) hash = (hash << 5) - hash + char Seems to be a port of Java’s hashing algorithm lifted from Stack Overflow. Luckily, this is dead code and not used anywhere. 😅

    Undo
  15. Jul 6

    Yes, Kasperky Password Manager is ridiculously ill-designed. Given what I saw there three years ago, this vulnerability is not the least surprising.

    I was going to laugh off this Kaspersky password manager bug, but it is *amazing*. In the sense that I’ve never seen so many broken things in one simple piece of code.
    Show this thread
    3 retweets
    Undo
  16. Jul 2

    As if developers copy&pasting code without properly considering licenses wasn’t a time bomb already, we now have AI happily doing it for you. Thanks Github!

    I don't want to say anything but that's not the right license Mr Copilot.
    3 likes
    Undo
  17. Retweeted
    Jul 1

    "[GETTR] looks like a dumpster fire that was coded from the lavatory of Donald Trump… It literally took me longer to copy the screenshot images off of my testphone than it did to find the actual bug."

    2 replies 8 retweets 11 likes
    Undo
  18. Retweeted
    Jun 30

    Your timeline may be full of bikini pictures right now due to , do you know why? Read this 👇🏼 if you don't want to post a bikini pic, you can support in many other ways! Comment on one of her tweets, write a support tweet etc.

    20 replies 354 retweets 1,009 likes
    Undo
  19. Jul 1

    You may be old, but are you this old?

    Screenshot of Norton Utilities 6.0 for DOS. Text-based menu with options like Disk Doctor, Disk Editor and Speed Disk.
    1 reply 4 likes
    Undo
  20. Jun 30

    postMessage to top frame

    Write a horror story for your industry using just four words
    Show this thread
    1 retweet 1 like
    Undo

@WPalant hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·