CVE-2018-1000211: Public apps can't revoke tokens in Doorkeeper
TL;DR: If a public client respects the RFC 7009 spec and does not authenticate the revocation request, then Doorkeeper does not actually revoke the access »
CVE-2018-1000088: Stored XSS in Doorkeeper
Software Description Doorkeeper is a Ruby gem that makes it easy to introduce OAuth 2 provider functionality to a Rails or Grape application. Depending on how »
CVE-2015-7225: OTP reuse in Devise-Two-Factor
TL;DR: Once a user successfully provides a valid OTP, that OTP can be replayed for the duration of the timestep. Upgrade to version 2.0. »
CVE-2016-6582: Doorkeeper fails to revoke OAuth 2.0 public client's access token in revocation request
TL;DR: If a public client respects the RFC 7009 spec and does not authenticate the revocation request, then Doorkeeper does not actually revoke the access »
How to configure CSP in your Ember CLI app
If this post is greek to you, take a look at my Ember CLI and Content Security Policy (CSP) blog post. Earlier this month, I had »
Ember CLI and Content Security Policy (CSP)
As of Ember CLI v0.0.47 there is now built-in support for Content Security Policy in our apps! WTF is a CSP? It's a beautiful »
Implementing a Responsible Disclosure policy with PGP
I had the opportunity to help my employer, FreshBooks, implement a responsible disclosure policy. As it turns out, it's very difficult to offer a PGP key »