A dead CDN, a wildcard, and an attack waiting to happen: the netdna-ssl.com takeover π
Every now and then I go digging through Report URI's Threat Intelligence data feeds, looking for domains that show up in CSP reports where they really [...]
Scott Helme
Posts
Why No Passkeys? Naming the Top Sites That Still Don't Support Them π
Back in 2017, Troy Hunt and I built a little website called whynohttps.com. The idea was simple: take the most popular sites on the internet, check wh [...]
The Instructure Canvas Breach (2026): How XSS in a Support Ticket Compromised 275 Million Students π
A single support ticket became the front door to 275 million student records. The Canvas breach shows how quickly untrusted user content can become a [...]
Open-Sourcing dbsc-php: a Server Library for Device Bound Session Credentials in PHP π
Weβve open-sourced dbsc-php, a small PHP library that makes it easier to deploy Device Bound Session Credentials and turn stolen session cookies into [...]
DBSC Beta at Report URI π
This week, I published a blog post about Device Bound Session Credentials, a new technology that will significantly hamper the efforts of Infostealers [...]
Device Bound Session Credentials: Making Stolen Cookies Useless π
A stolen session cookie can be vastly more powerful than a stolen password. The attacker doesnβt need to phish the user, bypass MFA, or defeat their p [...]
Passkeys, Permissions Policy and Bug Hunting in 1Password's WebAuthn Wrapper π
Passkeys are the best thing to happen to web authentication in years, but a passkey ceremony is only as secure as the stack enforcing it. The browser, [...]
Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP π
We've open-sourced passkeys-php, the WebAuthn server library we use at Report URI to protect logins with passkeys, security keys, and platform authent [...]
XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None π
A single XSS vulnerability can turn passkeys from a phishing-resistant login mechanism into a persistent account takeover backdoor. If malicious JavaS [...]
Passkeys 101: An Introduction to Passkeys and How They Work π
Passwords have been the weak point in online authentication for decades. They can be reused, guessed, stolen, phished, leaked, sprayed, stuffed, and c [...]
Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive π
One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to crimin [...]
Under Attack: Responding to the Rise of Info-Stealer Threats π
We recently received a claim that Report URI had been breached and that customer credentials had been stolen. The claim was false: we do not store pas [...]
Security considerations when using Passkeys on your website π
Passkeys are awesome and that's why we implemented them on Report URI! You can read about our implementation here and get the basics on how Passkeys w [...]
Fighting an active Magecart Campaign π
Weβve been tracking an active Magecart campaign targeting ecommerce sites, with payloads customised per victim and evasion logic designed to stay hidd [...]
Amazing Refresh β A Malicious Chrome Extension Running Malware in the Browser π
We recently uncovered a malicious browser extension affecting visitors to customer websites. It injected JavaScript into pages, hijacked outbound clic [...]