My Cookie

Recently I have investigated online tracking on the websites of Dutch Political Parties. Read more about that investigation here: Dutch English Included in that investigation is my request to remove the unlawfully collected personal data. Today I received a response stating that the platform is ‘unable to action a request without verifying the identity of the requester’. While that response is more than three months too late and doesn’t request any further identification, I will assist the identification effort through this blogpost....

August 18, 2021 · 1 min · Floor Terra

Politico: For Dutch election, Big Tech takes a breather

Vincent Manancourt of Politico has published an article including my research into unlawful online tracking on the websites of Dutch political parties.

March 17, 2021 · 1 min · Floor Terra

Authentication tokens gone wrong

Here is another blog about Plimus. It seems like they don’t want to communicate or fix security issues instead they continue building new features. It’s a shame that a company that handles money as a primary business doesn’t have security as a top priority. This blogpost is about a feature that I have warned Plimus about, but haven’t been able to test because a Plimus employee actively refused to give me access to this feature, even after the engineer in charge for security asked me explicitly to test and report more security problems....

March 9, 2012 · 2 min · Floor Terra

Howto crack plimus "MD5hex encryption"

It’s been a while since I have reported a few security bugs to Plimus. It took a few blogposts explaining the issues publicly before I got in contact with an engineer. I understand that making backwards incompatible changes to your customer facing API’s is not a trivial task, however the way Plimus handles these issues is just terrible. One engineer asks me for more feedback while in the same mail thread another Plimus employee demands proof I’m PCI certified and wants to know what applications I’m going to build before I get access to the test API of Plimus....

February 24, 2012 · 2 min · Floor Terra

OpenBSD disk encryption

Laptops are easy to lose or steal and you don’t want any potentially sensitive data to be stolen too. For that purpose many companies now require disk encryption. The OpenBSD softraid CRYPTO discipline has grown to be a mature piece of software and since I was long due for a fresh OpenBSD installation anyway I decided to give it a try. Let’s start with the goals: No user files should be recoverable when the laptop gets lost or stolen without knowledge of my passphrase....

December 5, 2011 · 3 min · Floor Terra

Plimus is working on issues

This morning I got a phone call from a phone number in Isreal. It was Tal, an engineer from Plimus. Tal wanted to know about the issues I had found and what solutions I had in mind. Tal also explained their plans for fixing all issues and all the issues that are involved with changing their API. I’ll be keeping an eye on Plimus to see how they are doing, but now I’m confident that someone at Plimus understands their security issues and they are working on fixing them....

June 24, 2011 · 1 min · Floor Terra

Plimus vulnerability: sharing customer password in plaintext

It’s been a while since my last post about Plimus. I have contacted Plimus multiple times since and still haven’t got any response from someone with even a basic knowledge of security. They did however visit my blog and that gave me enough information to figure out that their customer support system stores passwords in plaintext. But what I want to write about is worse. Let me start by saying that what I am going to write about is not a bug, not an unpatched piece of software and not a subtle design flaw....

June 21, 2011 · 3 min · Floor Terra

Plimus vulnerability: "Plimus uses MD5hex encryption"

In my last blogpost about Plimus I talked about the lack of SSL based security. At some point in time Plimus must have realized this and started looking for a solution. Of course, Plimus is a serious business and can’t afford to break backwards compatibility for their customers and so devised their ingenious “MD5hex encryption” technology. Let’s think back about the lack of proper use of SSL and the problems that this brings:...

June 3, 2011 · 3 min · Floor Terra

Plimus vulnerability: transmitting unencrypted customer data

Plimus Inc. is a company that handles online payments for websites. The websites don’t have to deal with all kinds of credit card companies and banks. Just create a account at Plimus and let them handle all your payments. This means Plimus has access to sensitive customer information and they should take extremely good care to protect this information. However, I will try to explain how a few mistakes from Plimus may harm the security of your webshop and the security of your customers....

June 3, 2011 · 3 min · Floor Terra

Plimus security flaws

After a few weeks of frustrating email exchange with the Plimus security people I have decided to write this blogpost to warn existing and potential customers of Plimus. The apparent lack of technical knowledge on the side of Plimus and my previous experience in their response to bug reports has given me no hope that these issues will be addressed soon. I will not give out any details yet, but will try to give some tips to reduce the risk of exposure if you’re a Plimus customer....

May 11, 2011 · 3 min · Floor Terra