vitalipom

In April 2025 a phishing campaign, targeting Gmail users has launched in a massive attack, making a malicious email look legitimate.

Foreseeing a probability of such circumstances to happen I filed a patent on an idea I had.

The issue that almost any website has is the ability to be proxied by a Man in The Middle. Means by that is that if I (Haim/Vital) now copy exactly a website, put it on my server and forward the same user actions from my site to the original site, then once the user is logged in, since it’s done via the hacker’s machine in the middle, then the attacker can keep using the victim’s session as technically it’s simply possible.

In my patent I do not let a MiTM attack a room to happen. How? Simply. Each request and response are treated like JWT! The only difference is that both parties both sign and validate the JWT. And the additional shared secret which is required by design is shared via a 3rd communication channel, via email. So that even if user’s credentials are stolen, the shared key still won’t let the attacker to fake a request.

I found a security bug that allows a phishing website to pretend to be the real website and sniff user’s credentials. It exists almost EVERYWHERE. I did my own research, experimenting on myself in some common websites whilst following up a question which I asked here on what prevents this from happening. And apparently most of the websites do not prevent such an obvious phishing use case. And not only, but I’m also up to digging a little bit more and writing my own (paid - sorry guys) tutorial on how to raise a secure and safe website on Amazon AWS with a secure login and credentials for a non tycoon average user.

It was a great journey. My patent herby goes to trash since there are non Saas solution which are utilized to defend against phishing. And I am about to start a new journey where I begin to build a secure web portal which tells its users how to build a secure web portal with their own users!

The attack I mentioned allows to present a login page using a proxy of any webpage on a non webpage’s domain. Which in turn allows either a session hijacking or credentials sniffing.

My patent suggested transferring a secret token to the user’s email box in order to create a third channel of communication whereas the attacker so or so does not have an access to the user’s email box. Nor to the 3rd Saas security service that secures the communication between the client and the attacked host with that token.

What I’ve seen that is being used instead is splitting the login into username and ON ANOTHER page password, which is defended by CORS - since once username is entered and the Next button is clicked, there is a CORS issue which arises because the fake login page is being served on the fake domain which does not have the permission to go on with the cross origin request to the next page after entering the username where password is required.

I've now consulted ChatGPT on a solution for a vulnerability which I even filed a patent for long time ago and I feel less stupid right now.

Say bank.com has SSL. Cool! Now how does Angular work? You visit angular-site.com/some/path and backend server rewrites the request to angular-site.com/index.html. You still see angular-site.com/some/path. And it works and that's how Angular servers that serve Angular apps work.

Now, what prevents bank-malicious-url.com from acting like a viewer, where it access bank.com when you visit it hence the SSL encryption/decryption is made between it and the legit bank.com, whilst malicious-bank.com url has a simple letsencrypt certificate that is showing you a not so legit green secured URL web address on the top of your web browser?

Please help! I abandoned my patent, I've been building my Angular web app and now I think that the old me was not so dumb after all. Where to proceed from now?

Csurf might be deprecated in the npm main repository, but it does not cancel the fact that this is still a great lib for CSRF Tokens in NodeJS.

While striving to find and provide a straight route path for assured security on the websites, I have come up with a Context Design Pattern for CSRF Tokens, which is very simple but might be not what you think or not what you are used to.

In the traditional approach, to defend against foreign links that target i.e. deleting your users’ profiles while clicking a link, we know that CSRF Tokens is the answer. But what happens when the links are on your website, e.g. in the HTML formatted posts or comments section?

Well, I suggested the following to Chat GPT and the machine has fallen for it!

Think of csurf lib’s cookie being sent with the string “posts-cookie-token” while in the posts or comments section along with a CSRF Tokens. The cookie is a session identifier and the CSRF must be provided along with the cookie. In order to not allow actions such as user deletion from the comments section, there is a different cookie-csrf-token pair(s) for the user profile section. Means that CSRF Token for user deletion will never resolve for the comments section.

Are there any node developers in here at those hours? Security fans? What do you think gang? I’m up to writing a security manual for the novice web developers and selling it for some cash online. WDYT?

The problem: when website has a post comments section that allows including html, attacker can post a link that utilizes clickjacking attack by posting a button that says i.e. click here! but when the user clicks it it deletes the account.

The traditional solution is validating such action by prompting with a required confirmation i.e Are you sure you want to delete the account? Or entering some text such as "delete" or the user's name.

I have a suggestion for a framework that utilizes contexts, which will defend sensitive actions more broadly and I would like to bring it up here.

What I suggest is to have context on every website section, such as comments and user's profile, so that when a logged in user is in the comments section they are only able to utilize front end's comment context. From the comments context the profile context will be invisible and the comments context is the only one that will be able to talk with the comments endpoint on the server.

Problem is solved? WDYT?

I developed a cool piece of software that helps potential users a lot and I want to expose it and bring a lot of traffic and acknowledgement before I launch it in order to stay motivated and keep going in with it once backend and frontend is done and I have a feeling that I do not succeed telling the motivation and the story of my product since I don’t have the abilities telling it interestingly enough. Why am I so boring? signmeonly.io is the name there is yet no website since no one yet even agreed to talk with me about it :( And I’m publishing everywhere info about the service.

I have a solution for hackers who sniff credentials via unencrypted headers even through SSL/TLS since they encrypt only HTTP body.

In this video I talk about signmeonly.io pre-launch.

https://youtu.be/8EjVz4wEFFo

Have you ever hesitated to start a web project just because the session id token along with the secrets is passed along the usual REST GET/POST request?

Well signmeonly intends to solve just that. With a secret that is send via email and stored in the local browser storage which is not sent anywhere, yet accessible by the website you develop, signmeonly uses the secret to encrypt a random string every time your client talks to your website.

Want to hear more? Leave your message in the comments and we - are eager to tell you everything you need.

Hi,

I have developed a solution that overcomes the risks of hijecking sessions using for example broken SSL or stealing JWT token by encrypting a line in every request differently using session key that is copied and pasted once on every browser which send via the Email.

Does anyone here need such thing? I want to offer it to newbies who hesitate from the cloud bills, using my own cloud and small could fee. I don’t have a prototype yet but considering to make one. Are you guys with me? Do you want one?