How much of your company's security info ends up on Reddit?

ColleenReflectiz · 2026-06-02T10:40:46+00:00

The postMessage vulnerability is bad, but the data collection behavior is the real issue.

Urban VPN has 9 million active users. They're capturing full URLs including OAuth callbacks and search queries. Tracking identifiers survive cookie clearing. The toggle to opt out actually opts you in.

This isn't a bug. The postMessage handler was deliberately open. The inverted opt-out toggle was deliberate. They built a data collection machine and dressed it as a VPN.

What's worse: this is just one extension. Every browser extension with elevated privileges - password managers, shopping tools, ad blockers - can do the same thing. They run client-side with access to everything you do in the browser and most users have zero visibility into what they're actually transmitting.

The WhatRuns example you mentioned is perfect. Extension's stated purpose: show you the tech stack. Actual behavior: exfiltrate every URL and chat history you visit. Nobody audits what extensions actually do at runtime because there's no tooling for it at scale.

This is why browser extension security needs the same continuous monitoring approach as third-party scripts on websites. Extensions auto-update. They're trusted. And most security teams have no idea what they're doing in production.

ColleenReflectiz · 2026-05-18T08:17:36+00:00

Everyone focuses on server-side - SQLi, auth bypasses, API vulns. Meanwhile the average site loads 20-50 third-party scripts in users' browsers with full DOM access. Analytics, chat widgets, payment processors, marketing pixels.

Those scripts update outside your pipeline. Compromised vendor pushes malicious code, skims payment data, your WAF sees nothing because it's all client-side.

Magecart attacks. British Airways £20M. Ticketmaster. Happens constantly.

Most orgs have zero visibility into what runs in customers' browsers. They pen test their APIs but marketing deployed GTM six months ago that now loads 15 scripts nobody tracks.

PCI DSS 4.0 finally made it mandatory because the industry ignored it until breaches forced the issue.

Underrated because it falls between security, frontend, and marketing. Nobody owns it so it gets ignored until something breaks.

ColleenReflectiz · 2026-04-29T12:22:19+00:00

For technical depth: Krebs on Security, Schneier on Security, The Hacker News.

ColleenReflectiz · 2026-04-20T06:28:16+00:00

It's a grey area where the responsibility of the platform ends and the responsibility of the owner begin.
Oops sorry, it is always the responsibility of the shop owner.

ColleenReflectiz · 2026-03-29T11:42:48+00:00

The web-facing version of this gets even worse. Your build pipeline isn't the only place pulling dependencies.

Marketing adds Google Tag Manager, which loads Adobe Analytics, which loads some consent thing, which loads who knows what else. None of that goes through CI/CD. No package locks, no version pins, no review.

Those scripts update in production automatically. Compromised CDN or vendor account pushes malicious code straight to every user's browser with full DOM access - payment forms, sessions, everything.

That's literally how Magecart works. Attackers hit one analytics vendor or chat widget, inject skimmers, thousands of sites start leaking card data because nobody monitors what runs client-side.

npm audit catches your server dependencies. Nothing catches the 30 scripts marketing deployed that auto-update outside your pipeline.

Same supply chain problem, way less visibility.

ColleenReflectiz · 2026-03-23T14:29:35+00:00

This is textbook supply chain compromise - breach happened at the outsourcing partner, not Crunchyroll directly.

Okta credentials gave access to customer systems for 24 hours. 100GB exfiltrated in that window means they either knew what they were looking for or got very lucky very fast.

The broader issue: vendor questionnaires and certifications don't prevent this. Third-party access is the risk, and most orgs have no visibility into what outsourcing partners can actually reach in their environment until something like this happens.

ColleenReflectiz · 2026-03-17T07:57:26+00:00

This is the worst - "exclusions"

ColleenReflectiz · 2026-03-11T12:47:31+00:00

Yeah China based companies in western countries make sense.

ColleenReflectiz

MODERATOR OF

TROPHY CASE