You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Seriously, this incident raises *serious* questions about the quality of development at @yubico. It might be an isolated problem, but how did this mess slip through the cracks? Who reviewed this code? Does an entire team at Yubico think this is okay? Who hired them?
Do the same standards apply to every other team at @yubico? How do we know this isn't a pervasive problem? Are there any companywide standards on code quality? Is there even a security team dedicated to auditing stuff in general? HOW DID THIS HAPPEN?!?
Btw, someone joked about http://php.net having this as the correct solution, and, well. But "knowing better than http://php.net " is definitely a prerequisite to be in the security business writing PHP. Or just don't write PHP.https://twitter.com/marcan42/status/1089238169839489025 …
OMG IT'S STILL BROKEN. THIS IS HOW THEY'RE SANITIZING URLS FOR INSERTING INTO SQL QUERIES $ echo "<?php echo filter_var('http://inject/\'', FILTER_VALIDATE_URL);" | php http://inject/' AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Okay, get this. The fix in question? It was co-authored by 5 Yubico employees and merged (and hopefully reviewed) by a 6th. At least 6 Yubico employees do not know about prepared statements. https://github.com/Yubico/yubikey-val/pull/59/commits/d0e4db3245deb5ce0c8d7d26069c78071a140286 … I am in shock.
The source code contains a logical flaw related to user PIN verification that allows an attacker with local host privileges and/or physical proximity (NFC) to perform security operations without knowledge of the user’s PIN code. https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html …
Yeah, I know about that one. But I could see how that slips by. Now, lack of security review might also explain why they didn't catch it earlier... but it's hard to say.
Finally
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
