Kevin Froman's blog

Blog on security, programming, & other musings

For new technical posts see

Preventing Arbitrary Code Execution in Python3.8 With Auditing

In Python 3.8+, support for system auditing hooks was added. System auditing uses two main functions:

sys.addaudithook: accepts a callable to execute when auditing events are raised anywhere in the current Python interpreter.

Bitcoin Shoplifting: Hacking Openbazaar 1.0

As part of my research into P2P software, I decided to give OpenBazaar (1.0) a quick look over to see if I could catch any security issues. (This was not an audit, just a short examination).

OpenBazaar Logo

One of the first places I checked for security flaws was OpenBazaar's back-end API server (which comes with the desktop client), which uses HTTP. I examined the API server for CSRF issues, because in my experience other native software that uses web technologies suffer from them.


Tls Key Reuse On Popular Router Models

Recently I have been researching security of consumer Internet and WiFi routers.

I knew that key reuse was an issue in device firmware, but the issue is more widespread in routers than I would have guessed. Default & current (at time of writing) versions of firmware for most if not all Netgear, Linksys, and perhaps other router brands reuse TLS keys for their web management interface.

TLS for remote router management is already 'broken' since certificates are not usually valid, and few users understand how to manually verify certificate fingerprints. Even if users verify fingerprints, they will have a false sense of security since reused TLS keys provide zero protection, while still appearing to be secure.


Hijacking Domains And Servers, a popular domain registrar and hosting provider used by somewhat high profile organizations, such as the EFF and Free Software Foundation, had an XSS vulnerability on its main domain name (

This also happens to be where domain DNS settings are managed, along with other account settings and server hosting.


Zeronet: Death By Svg

An often overlooked feature of SVGs is their ability to have embedded scripts, like HTML pages.

When displayed in an <img> tag, SVGs are not permitted to execute scripts, however, when they are viewed directly, they are.


Creating Minecraft Plugins In Any Programming Language

This is a bit of a different post from what I usually write about, but hopefully those who are interested in programming, Linux, or Minecraft will enjoy it.

Despite being a building game, Minecraft is often praised for its circuitry features and mods that allow people to learn and apply computer science principles while having fun in the game.


Using Caddy To Create a Secure Socket Server


Telnet wasn't all bad. Simple socket servers are handy for debugging or remote access purposes, but sadly telnet is insecure, having no encryption. SSH is a viable alternative, but it is a little bloated and is different on various platforms.


Timebleed Breaking Privacy With a Simple Timing Attack

TimeBleed: Simple Attack, Serious Issue

TimeBleed logo


Tracking Ipfs Users Via Cache Probing


IPFS is a distributed file system network that uses hashes to lookup, verify, and track content.


Pwning Freenet With Clickjacking


Freenet is an open-source, distributed, and decentralized file storage network.


Pwning Qbittorrent With XSS


qBittorrent and uTorrent are both popular torrent clients with fairly similar features. For example, both have an included web interface.

This post will focus on qBittorrent, since it is open source & has fixed the issues mentioned below.


How a Random Github Repo Led To a Shell Access Google Dork

Developers often publicly release code that is barely tested, or meant for personal reasons, such as quick scripts or weekend experiments.

Often times they assume that no one will have any interest, only to later discover dozens, perhaps hundreds of stars and users.


Exploiting I2P 3

This is part 3 in my series of exploits in I2P/related software, I recommend reading the 1st and 2nd posts first.

As I continued testing I2P software, I have discovered the most severe vulnerability yet, once again within I2P-Bote, a distributed email system for I2P.


Exploiting I2P Bote


I2P-Bote is an experimental anonymous decentralized “email” system that is distributed as a plugin for I2P.


Stealing Your I2P Email


I2P, is an anonymous network somewhat similar to Tor, but without clear-net access.


Exploiting Window.opener

The Problem

One of the most common security oversights in web development is using target='_blank' on links, or in JavaScript for 3rd party links.


Do Not Trust X Forwarded For

What Is X-Forwarded-For?

X-Forwarded-For and similar headers are not official, but they are the de-facto standard client HTTP request header for non-transparent proxies. It is usually sent in HTTP requests.


How I Could Have Compromised MIT App Inventor

Not Just a Learning Tool

MIT App Inventor is primarily an educational block-based programming tool used to introduce young people to programming and app design, using a web interface and companion app for live testing.