Responsible Disclosure: SVG injection in Three.co.uk


The website has a circle drawn on it.

Here's a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of Three.co.uk - one of the UK's mobile providers. A brief recap... Most websites have a search function. If you search for something which cannot be found, the site will often say "No results found for XYZ." If we can convince the search engine to spit out HTML, we can inject malicious content into…

Continue reading →

The Usability of Unboxing


Home Signal Box.

I review a lot of tech kit. It is amazing just how bad the consumer experience is when you have a brand-new box in your hands. It can be as simple as difficult to open packaging, to the existential horror of a poorly translated manual. The first time a customer holds your product in their hands should be a moment of joy. Something to reinforce the notion that they have been wise with their…

Continue reading →