In my years working in application security teams for leading tech companies such as Facebook, I have identified several recurring patterns that challenge the effectiveness of cybersecurity measures in European software companies. In this blog post I will provide some of the bad patterns that I have seen over the recent years, and where I…
Recently I took a look at Atom, a text editor by GitHub. With a little bit of work, I was able to chain multiple vulnerabilities in Atom into an actual Remote Code Execution. The vulnerabilities have been fixed in the 1.21.1 release on October 12th, 2017 after I reported it via their HackerOne program. In case you want to…
At Nextcloud we do employ a pretty strict Content-Security-Policy (CSP). In case you need a quick explanation what CSP is, I’d suggest reading this older blog post of mine. One of the caveats with the implementation in Nextcloud is that we had to allow ‘unsafe-eval’ because of our historically grown code base. For example, we use handlebars.js for…
In the past, the update experiences with ownCloud have been difficult. It was not always clear when updates would be released for the updater app or how to move to a new major release. Apps disappeared after an update or apps were updated to an incompatible version (e.g. with a broken PHP dependency), or simply…
As you may have read in the official Nextcloud announcement we’re today releasing the Nextcloud 10 beta release. Besides adding a lot of awesome new features it also includes several security hardenings, such as adding support for a native bruteforce protection and Two-Factor Authentication. Nextcloud commits to keeping your data secure, we’re even going so far to…