Free Post XSS The Instructure Canvas Breach (2026): How XSS in a Support Ticket Compromised 275 Million Students A single support ticket became the front door to 275 million student records. The Canvas breach shows how quickly untrusted user content can become a serious security incident when it...
Free Post Report URI Open-Sourcing dbsc-php: a Server Library for Device Bound Session Credentials in PHP We’ve open-sourced dbsc-php, a small PHP library that makes it easier to deploy Device Bound Session Credentials and turn stolen session cookies into something far less useful....
Free Post Report URI DBSC Beta at Report URI This week, I published a blog post about Device Bound Session Credentials, a new technology that will significantly hamper the efforts of Infostealers and reduce the damage caused by stolen...
Free Post Report URI Device Bound Session Credentials: Making Stolen Cookies Useless A stolen session cookie can be vastly more powerful than a stolen password. The attacker doesn’t need to phish the user, bypass MFA, or defeat their passkey; they simply...
Free Post Report URI Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP We've open-sourced passkeys-php, the WebAuthn server library we use at Report URI to protect logins with passkeys, security keys, and platform authenticators like Touch ID, Face...
Free Post XSS XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None A single XSS vulnerability can turn passkeys from a phishing-resistant login mechanism into a persistent account takeover backdoor. If malicious JavaScript can run on your page, it may be...
Free Post Report URI Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to criminals while the website looks secure...
Free Post Report URI Under Attack: Responding to the Rise of Info-Stealer Threats We recently received a claim that Report URI had been breached and that customer credentials had been stolen. The claim was false: we do not store passwords in a recoverable...
Free Post Report URI Security considerations when using Passkeys on your website Passkeys are awesome and that's why we implemented them on Report URI! You can read about our implementation here and get the basics on how Passkeys work and...
Free Post Report URI Amazing Refresh — A Malicious Chrome Extension Running Malware in the Browser We recently uncovered a malicious browser extension affecting visitors to customer websites. It injected JavaScript into pages, hijacked outbound clicks through affiliate infrastructure, and quietly monetised user traffic. We spotted...
Follow