I discovered a vulnerability in content blockers with the help of a friend that could be exploited to leak users’ browsing history to the content blocker developer, contrary to Apple’s claims that this was impossible. This exploit works even on Private Browsing, and allows malicious developers to log the time you visited each site. I reported this exploit on 9/30/15, and it was fixed in iOS 9.2 and Safari 9.0.2 on 12/8/15. If your iOS version is below this, update now! A writeup follows.

Disclosure Timeline

8/25/15- I reported a bug to WebKit’s bug tracker that invalid CSS selectors such as “body{” were corrupting content blocking stylesheets

8/26/15- response from the WebKit team that there wasn’t a whole lot they could do in this case, except for better error reporting

9/30/15- I send an email to product-security@apple.com, providing a proof of concept that the lack of validation on user-supplied CSS selectors allowed content blockers to track user’s browsing history on Safari, even when the user is Private Browsing.

9/30/15- Apple responds, stating that they are looking into the issue

10/5/15- Apple WebKit developers reopen my initial bug, and submit a changeset to Webkit source that fixes the vulnerability: http://trac.webkit.org/changeset/190602

12/8/15- Apple pushes these Webkit updates to Safari on iOS 9.2 and on Safari 9.0.2. They disclose the issue, here (Safari 9.0.2): https://support.apple.com/en-us/HT205639 and here (iOS 9.2): https://support.apple.com/en-us/HT205635.

12/8/15- I publish this blog post.

Note: I develop a free, fully customizable content blocker for iOS called Refine. I’ve audited Refine’s public content blockers, and as of 12/8/15, none exercise this vulnerability. My default blockers certainly do not track user history. If you want to use the most feature-rich content blocker developed by someone who cares deeply about user privacy and security, try mine out. It is hard for me to tell whether other content blockers have been tracking user history using this exploit. Download my blocker, as I guarantee that I have not  been tracking browsing history, and will continue to help identify and disclose vulnerabilities to Apple that may jeopardize my users’ privacy.

The Writeup

Continue reading →

My free content blocker for iOS 9 called Refine is currently available on the App Store. It comes with standard adblocking, privacy blocking, and whitelisting, but the true power of Refine, and what distinguishes from other content blockers out there, is the ability to fully customize your own blockers and share them with the public.

Over the last three days since Refine was launched, 100s of custom blockers have been shared, with amazing use cases different from standard adblocking.

Here are 5 that stand out to me, and show why Refine is the only content blocker you’ll ever need.

With Refine, simply search for one of the public blockers listed below and add it to your personal blocker list with a click of a button.

Continue reading →

I’ve been building a free, fully customizable content blocker for iOS 9 called Refine and a couple of people have asked how it works. It is based on a new Safari API called content blocking that is fundamentally different to how standard adblockers like uBlock and Adblock Plus work. Although Adblock Plus has raised concerns about the limited functionality of this new paradigm, content blocking has some distinct advantages that make it better than conventional adblocking.

Download Refine now for free on the App Store!

If you’re interested in learning more about Refine, read my blog post that highlights its features. Follow @RefineApp to receive updates about my app, or to ask me questions about this post/the app!

Here are 4 reasons why Safari Content Blockers beat standard adblockers. Continue reading →

I’ve been working on Refine, a free content blocking extension for iOS 9, and want to share some screenshots/preview its features.

Refine is now released on the App Store! Download it now.

Refine hides/prevents ads from appearing when browsing Safari on your iPhone/iPad, and allows customization/sharing for more expansive content blocking, such as preventing cookies on all websites, or using the Internet in html and css only mode for a clean and super-fast experience.

Follow @RefineApp on Twitter for updates on the app, or to ask me questions!

Continue reading →

A little knowledge about cameras/optics will be useful to understand the post; I tried to include supplementary links where helpful.

This past year, I worked on a project for a Computer Vision class to construct depth maps from a scene using a stationary camera by changing aperture and focus only, via a Monte Carlo method. This a writeup of my work; comment below to discuss/ask questions!

Images borrowed from a paper by Jacobs et al. The goal of this project was to take a scene (shown left) and construct a depth map (shown right). For this project, I was interested in creating relative depth maps (where a pixel is darker/lighter if it is closer to the camera than another pixel) as opposed to an absolute depth map (where the intensity of a pixel is proportional to its distance from the camera).

Continue reading →

Venmo is a payment system designed for mobile devices that makes it easy to pay or transfer money over to friends (venmo.com).

Venmo’s currently having a promotion on moneytree.venmo.com where they’re giving 1 million dollars in total to new Venmo users who play their game. The game is pretty self-explanatory: you have 10 seconds to click on leaves falling from the “money tree”, each green leaf clicked gets you 10 cents and each blue leaf clicked gets you 20 cents.

After you’re done, you can share the game with friends to continue playing or collect your winnings (if you’re a new visitor) by giving Venmo your phone number and installing the Venmo app:

I noticed that the game was created with Javascript and not Flash, so I thought that I could hike up my game score pretty easily by changing the javascript in the page. Chrome Developer Tools makes it pretty easy to do this by allowing you to live-edit javascript of a page and see its results in the browser (which is really cool), so I tried a little proof-of-concept to see what I could do with Venmo’s game.

Learning to program is difficult: 30-60% of students in university introductory programming courses fail. This is associated with a belief that only students with a natural “aptitude” or talent for programming are able to truly succeed in learning to program, while students without this aptitude are doomed for failure or at best mediocrity in programming. Although studies have shown that this programming achievement gap based on natural talent does exist in introductory courses, recent work has pointed towards pair programming as a possible solution for helping bridge this gap.

Just a disclaimer before I start:

I am not in any way condemning the RIAA (Recording Industry Association of America) for what they did or claiming that in some way they “wronged” me; they had the right to send me a cease-and-desist and I immediately complied. I’m simply telling my story about how my website/apps with 15 million hits a month got shut down, which others may find interesting.

The story