Device Bound Session Credentials: Making Stolen Cookies Useless π
A stolen session cookie can be vastly more powerful than a stolen password. The attacker doesnβt need to phish the user, bypass MFA, or defeat their p [...]
Scott Helme
Posts
Passkeys, Permissions Policy and Bug Hunting in 1Password's WebAuthn Wrapper π
Passkeys are the best thing to happen to web authentication in years, but a passkey ceremony is only as secure as the stack enforcing it. The browser, [...]
Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP π
We've open-sourced passkeys-php, the WebAuthn server library we use at Report URI to protect logins with passkeys, security keys, and platform authent [...]
XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None π
A single XSS vulnerability can turn passkeys from a phishing-resistant login mechanism into a persistent account takeover backdoor. If malicious JavaS [...]
Passkeys 101: An Introduction to Passkeys and How They Work π
Passwords have been the weak point in online authentication for decades. They can be reused, guessed, stolen, phished, leaked, sprayed, stuffed, and c [...]
Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive π
One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to crimin [...]
Under Attack: Responding to the Rise of Info-Stealer Threats π
We recently received a claim that Report URI had been breached and that customer credentials had been stolen. The claim was false: we do not store pas [...]
Security considerations when using Passkeys on your website π
Passkeys are awesome and that's why we implemented them on Report URI! You can read about our implementation here and get the basics on how Passkeys w [...]
Fighting an active Magecart Campaign π
Weβve been tracking an active Magecart campaign targeting ecommerce sites, with payloads customised per victim and evasion logic designed to stay hidd [...]
Amazing Refresh β A Malicious Chrome Extension Running Malware in the Browser π
We recently uncovered a malicious browser extension affecting visitors to customer websites. It injected JavaScript into pages, hijacked outbound clic [...]
Bringing in the experts; Having our Passkeys implementation Security Tested π
We recently announced support for Passkeys on your Report URI account, and everyone should go and enable Passkeys for the amazing security benefits th [...]
Launching Passkeys support on Report URI! ποΈ π
As we're always wanting to keep ahead in the security game, I'm happy to announce that we now support Passkeys on Report URI! Let's take a quick look [...]
When βOne in a Billionβ Happens Every Day: Scaling Redis at Report URI π
Something that I've come to learn as we continue to grow Report URI is that everything is easy until scale makes it hard. We're now processing so much [...]
Leverage our treasure trove of Threat Intelligence data π
We've been working on CSP Integrity for a little while now, and it was only announced in open beta back in September. Since then, as more of our custo [...]
XSS Ranked #1 Top Threat of 2025 by MITRE and CISA π
Look who's back! After we completed 2024, XSS managed to get itself ranked as the #1 top threat of the year. I wrote about that, and at the end of the [...]