Spook.js - Speculative Type Confusion

The cool part of this paper is the speculative type confusion attack where the browser’s optimizer is trained to expect a memory access will be a uint8 array, and the CPU branch predictor that it will always go down that path. Then the attack changes both conditions leading to the CPU speculatively executing the uint8 access using data from another object, aligned in memory such that two 32bit value in JavaScript become one 64bit value.


Authentication is Optional for some Netgear Smart Switches (Demon's Cries)

What if authentication was optional? That seems to be the case here where the Netgear Switch Discovery Protocol, a UDP based protocol where each datagram is a header following by a Type Length Value (TLV) chain.The expectation is that all of the “get” commands can be used without authentication but that “set” commands should send the password authentication entry (Type 10) as the first part of the TLV chain…


NETGEAR D7000 Authentication Bypass

Authentication bypass by including a magic string in the URL.The string isn’t exactly magic, rather it seems like this page (setcup.cgi) has a single file that needs to be access without authentication…


Local File Read via Stored XSS in The Opera Browser

The vulnerability here is simply that Opera’s Pinboard feature allows pinning URLs starting with javascript: creating a clickable link on a Pinboard that will execute JavaScript. Unfortunately (for the attacker) these tabs open in a new window and not within the Pinboard context unless middle clicking, then these links will trigger them within the Pinboard context.