Blog
Research, findings, and updates on browser extension security.
CRXcavator Alternative: Here's how it worked and what we built to replace it.
A technical look at how CRXcavator actually scored Chrome extensions, why static permission analysis stopped catching the threats that mattered, and how Am I Being Pwned reads the code instead.
We open-sourced PGP Tools - a browser extension that does PGP properly
We published an open-source PGP browser extension built on Rust/WebAssembly. Private keys stay in WASM memory, passkey unlock via WebAuthn PRF, and the full source is on GitHub.
Am I Being Pwned founder added to Belgium's CCB Wall of Fame
James Arnott, founder of Am I Being Pwned, has been recognised on the Centre for Cybersecurity Belgium's Wall of Fame for responsibly disclosing vulnerabilities through their Coordinated Vulnerability Disclosure Program.
MultiPassword CVSS 8.3 - A password manager that could leak passwords
MultiPassword, a password manager trusted by over 1 million users worldwide, leaked usernames, passwords, URLs and Time-based One Time Passcodes (TOTP) with a low skill attack, in specific but very co
Stylish is Back, Back again!
Stylish, a chrome extension with over 2 million users got called out in 2018 exfiltrating every URL you go to, caught by Robert Heaton in this blog post. He also made a follow up when it came back her