Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)

CVE-2020-27838 describes that Keycloak has an open endpoint where it’s possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{client_id}

Through other discussions, … Continue reading Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)

Verbose Headers/Information Leakage via HttpResponse Headers vs fingerprinting via named headers

I understand that a header like X-Powered-By can reveal details about the operating environment that can be used to find known vulnerabilities because you often get the language and compiler/interpreter/operating environment versions.
With… Continue reading Verbose Headers/Information Leakage via HttpResponse Headers vs fingerprinting via named headers

Would an attacker want the PII (personal information) of a deceased natural person?

One of my close relatives recently passed away. They had a large digital footprint, and their data was leaked and distributed on the internet. Unfortunately, the websites who store that information keep giving glib responses to requests fo… Continue reading Would an attacker want the PII (personal information) of a deceased natural person?

Side-channel impacts of coil whine and related acoustical phenomena over time

I am aware of one paper (although I forget the name) in which an AES key is extracted from some meters away as a result of coil whine (potentially audible vibration of an inductor coil), but I can’t find any research which looks into acous… Continue reading Side-channel impacts of coil whine and related acoustical phenomena over time