nym
nym@primal.net
npub1hn4z...htl5
A New type of web hacking technique: DoubleClickjacking
“Clickjacking” is becoming less practical as modern browsers set all cookies to “SameSite: Lax” by default. Even if an attacker site can frame another website, the framed site would be unauthenticated, because cross-site cookies are not sent. This significantly reduces the risk of successful clickjacking attacks, as most interesting functionality on websites typically requires authentication.
DoubleClickjacking is a new variation on this classic theme: instead of relying on a single click, it takes advantage of a double-click sequence. While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header, CSP's frame-ancestors and SameSite: Lax/Strict cookies. This technique seemingly affects almost every website, leading to account takeovers on many major platforms.
In simpler terms, DoubleClickjacking leverages the small gap between the start of a click and the end of the second click in multiple windows without utilizing any popunder tricks. It is a sleight of hand. Attackers load (or open) a new window for a legitimate seeming reason—like a “captcha verification,” for example. Then, just before the second click is pressed, the malicious site can quickly swap in a more sensitive window from the same browser session (e.g., an OAuth authorization prompt), effectively hijacking that second click. There are many ways to perform the “swap,” the most reliable and smooth method I found uses window.open.location.
One of the important pieces of this attack is exploiting the timing difference between mousedown and onclick events (favoring mousedown over click). The mousedown event fires immediately when the user presses the mouse button, while the click event waits for the complete click action so there is a few ms of delay we can siphon for the attack. One of the surprising things about doing it this way is it does not matter how slow or how fast the target double-clicks. favoring mousedown event handler allows exploiting this even for the fastest or slowest double clickers.
originally posted at 
Paulos Yibelo - Hacking Research
Paulos Yibelo - Hacking Research: DoubleClickjacking: A New Era of UI Redressing
data:blog.metaDescription
Stacker News
A New type of web hacking technique: DoubleClickjacking \ stacker news
“Clickjacking” is becoming less practical as modern browsers set all cookies to “SameSite: Lax” by default. Even if an attacker site can fr...
Is the World Becoming Uninsurable?
I ask the question, "is the world becoming uninsurable?" not as an expert on the insurance industry but as a homeowner who can no longer obtain hurricane insurance, and as an observer of long-term trends keenly interested in the way global risks pile up either unseen, denied or misinterpreted until it's too late to mitigate them.
This is not an abstraction, though many are treating it as a policy debate. As noted previously here, the insurance industry is not a charity, and insurers bear the costs that are increasing regardless of opinions and policy proposals. Insurers operate in the real world, and their decisions to pull out of entire regions, reduce coverage and increase premiums are all responses to soaring losses, a reality reflected in these charts.
originally posted at 
Is the World Becoming Uninsurable?
You are receiving this email because you are a subscriber to Charles Hugh Smith / Of Two Minds.
Stacker News
Is the World Becoming Uninsurable? \ stacker news
I ask the question, "is the world becoming uninsurable?" not as an expert on the insurance industry but as a homeowner who can no longer obtain hur...
Earthstar - A database for private, distributed, offline-first applications
Earthstar is a specification and JavaScript library for building connected applications owned and run by their users.
Works offline.Store music, photos, video.Actually delete stuff.Temporary documents.Live syncing.Use one or many identities.Sneakernets.Always self-hosted.Servers optional.No blockchain.No tokens.Free forever, in every sense.
Verification with ed25519.Works in the browser.Grant read-only access.Efficient sync.Streaming sync.One identity across many devices.Multiwriter.Storage drivers.Document write permissions.Deno.Node.
originally posted at 
Earthstar
Storage for private, distributed, offline-first applications. Earthstar is a specification and JavaScript library for building connected applicatio...
Stacker News
Earthstar - A database for private, distributed, offline-first applications \ stacker news
Earthstar is a specification and JavaScript library for building connected applications owned and run by their users. Works offline. Store music, p...
News Minimalist — All news ranked by significance
https://www.newsminimalist.com/
News Minimalist is the only news aggregator that ranks news by significance.
originally posted at 
Stacker News
News Minimalist — All news ranked by significance \ stacker news
News Minimalist is the only news aggregator that ranks news by significance. [1 comment]
I tried moving my Google calendar to Proton (and failed)
Basically, the title.
I've been building up the courage to transition since I started de-googling my digital life about three years ago. At first, there was the browser. It was the easiest — Firefox instead of Chrome, obviously. Then there was mail. I learned about SimpleLogin and started using them by routing all my aliases to a single Proton email address. This was long before their partnership with SimpleLogin. Next, I moved the drive and the documents stored in it. Lastly, there was the calendar.
**Why de-googling**
Everything about my life had been hosted within the Google's ecosystem. Personal documents, bank statements, you name it. But Google’s privacy practices have been increasingly concerning, if not alarming. I got tired of them using and selling my data for advertising — my browsing behavior, purchasing habits, and my email conversations. Google was, and unfortunately still is, everywhere. It is on my phone, in my bedroom, and in my friends' houses. The company's main business model is advertising, and so their revenue streams speak for themselves.
originally posted at 
Shilin typing...
i tried moving my google calendar to proton (and failed)
Ever tried moving your Google Calendar to Proton? I did—and failed spectacularly. From de-googling my life to battling sync issues, here’s the ...
Stacker News
I tried moving my Google calendar to Proton (and failed) \ stacker news
Basically, the title. I've been building up the courage to transition since I started de-googling my digital life about three years ago. At first, ...
Linux arm64 hosted runners now available for free in public repositories
Now in public preview, Linux arm64 hosted runners are available for free in public repositories. Following the release of arm64 larger hosted runners in June, this offering now extends to the open source-community. Powered by the Cobalt 100-based processors, these 4 vCPU runners can deliver up to a 40% performance boost compared to Microsoft Azure’s previous generation of Arm-based VMs, providing a power-efficient compute layer for your workloads. Arm-native developers can now build, test and deploy entirely within the arm64 architecture without the need for virtualization on your Actions runs.
originally posted at 
The GitHub Blog
Linux arm64 hosted runners now available for free in public repositories (Public Preview) - GitHub Changelog
Now in public preview, Linux arm64 hosted runners are available for free in public repositories. Following the release of arm64 larger hosted runne...
Stacker News
Linux arm64 hosted runners now available for free in public repositories \ stacker news
Now in public preview, Linux arm64 hosted runners are available for free in public repositories. Following the release of arm64 larger hosted runne...