Profile cover photo
Profile photo
Egor Homakov
Security consultant
Security consultant

Egor Homakov's posts

Post has attachment
New blog
New posts will be published on  and less likely here. I will probably translate some good old ones from Egor-English to English. Thanks everyone for reading this!

Post has attachment
Bitstamp problem and Warm wallets.
We are publishing an audit of Peatio exchanger soon and I've got quite a few thoughts on how to make exchangers' wallets more secure. Five. Million. Dollars. In a hot wallet. Ok, I believe it's not everything they had. It's a small part of their assets. But...

Post has attachment
Blatant CSRF in Doorkeeper, most popular OAuth2 gem
I read a post about CSRF on DigitalOcean on Habrahabr (it's in Russian O_o) by Sergey Belove . My first reaction was, obviously, HOW COME? DigitalOcean is not kind of a Rails app that would have lame "skip_before_action :verify_authenticity_token". Then I l...

Post has attachment
New Paypal gateway UI is a disaster
Hey. I decided to get a paid plan on Github and Paypal looked like a good payment option to me. Click on big blue Paypal button here . This looks and feels  really good . Lightweight elements, updated color scheme and new logo. Except one thing - how do I k...

Post has attachment
The No CAPTCHA problem
When I read about No CAPTCHA for the first time I was really excited. Did we finally find a better solution? Hashcash? Or what? Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration page successfully using No CAPTCHA....

Post has attachment
Hacking file uploaders with race condition
10 months ago I wrote about a simple but powerful bug in Paperclip <=3.5.3 . Thoughtbot mentioned this problem on their blog in quite a misleading way - "a slight problem" . Considering it as an XSS only - yes, a slight problem. But as I said before we can ...

Post has attachment
Bypassing ClearClick and X-Frame-Options:Visible
I bet, you know what Clickjacking  (CJ) is. Old problem everybody's tired of hearing of. There are three types of web pages. Don't need to be shown in iframes but have no X-Frame-Options. Basically 99% or more of pages, CJ only exist due to poor design of w...

Post has attachment
Timing attack, 6.66% faster
Personally I'm not a big fan of timing attack  as I believe they are impractical for web apps (while perfectly useful in other fields). To make them useful you need to reduce latency and put your script just in front of the victim's server, send zillions of...
Wait while more posts are being loaded