Instead of just generating a patch (copilot style), it generates the patch, applies the patch, runs the code, and then iterates based on the execution output.
Square | AppSec, vulnerability discovery, pen testing | Remote in North America
We're hiring people to find vulnerabilities in Square products and services! The team is brand-new with lots of opportunity to choose the type of AppSec work you want to focus on. Fully remote is an option. There are more details here: https://smrtr.io/6T58-
We're also hiring for lots of other security roles. Please feel free to email me: dhintz@squareup.com
I know about that post from 2013 and I still don't agree.
Just like I don't agree with how Google implemented AMP, making google.com a link redirector that didn't exist before and was actually used in the fishing campaign, specifically:
> Yes, we're pushing the notification to a new tab (which can't be blocked or interfered with)
We went through a similar iteration with Password Alert. If you're setting focus on the new tab, an onBlur event could indicate that the current page has lost focus, perhaps due to the warning tab. I think notifying the user is still net-positive for the user's security.
Interesting, I hadn't heard of Password Alert -- we should definitely share notes if you're open to it -- I'd love to be able to generalize what we're doing to other domains if we could -- it's unfortunately cpu intense how we're doing it.
Before Chrome implemented isTrusted, it was a bit more tricky and we had to rely on a variety of attributes that did not have as much of a security guarantee.
Thanks for the helpful explanation! Those seem like fair mitigations.
Reading more on it, though, since isTrusted can apparently be spoofed, it looks like the main obstacles are the (2) rate-limiting and the (3) intentional collisions.
For (2), I suspect typical users would have a memorizable master password that's more susceptible to brute forcing, but of course it depends on the actual rate limit and how long you can keep the script running. Alternatively, I suppose a malicious script could overwhelm the rate limit so that the user wouldn't receive a legitimate warning.
For (3), I wonder whether LastPass has a similar mitigation? From what I understand, they don't store the actual password, so all you would need is a matching hash.
I'd be interested to know more details about LastPass's protections.
isTrusted cannot be spoofed in this situation, which is its intended use in Chrome. A Chrome extension in the isolated world is receiving events from the main world and checking isTrusted for those events.
Thanks for the clarification. I assume the spoofability applies only to JS in the main world then? And extensions can receive the event before a script has a chance to fiddle with it?
Sorry for the questions, just trying to figure out how this all works, and Googling doesn't give me a clear answer.
git clone a repo
Open goose with that directory
Instruct it to discover what the repo does
Ask it to make changes to the code, being detailed with my instructions.
I haven't tried computerController, only Goose’s main functionality.