Hacker Newsnew | past | comments | ask | show | jobs | submit | hackideiomat's commentslogin

This android wallet has an internal browser and it incorrectly strips www. from hosts. This also affects their permission system, meaning this is the perfect bug to phish users.

They didn't answer multiple mails in 30 days, so it's being disclosed.


Go look at MetaGer, they solved that issue


They do not take security and privacy seriously


Could you elaborate? I didn't find anything in the change log that made this obvious to me.


Ha, exactly! They rarely fix bugs.

E.g., XSS / HTML injection in summarizer or discuss document. Or their broken CSP which allows injecting forms to e.g., change settings.

They haven't fixed many reported issues in a while, and just to prove I'm not lying: https://kagi.com/discussdoc?url=https%3A%2F%2Fkagi.com%2Fcha...


While it doesn't look good, it doesn't inject or execute scripts.

Still, would have liked an official take on this. I was about to re-signup but now I'll hold off on that.


Oh yes because of the CSP. The CSP that allows forms that can change your settings... you could easily use the above bug to get some impact with an additional click on a form's submit button.

Admittedly, no full XSS anymore, but still dangerous and shows their lack of understanding and caring about security.

It's not the only place you can inject HTML and not every page has a CSP...


I don't get why they allow injection of irrelevant url parameters in the first place, it's the first rule of any input - remove what's not used and sanitize what is.


Regarding privacy: an obvious point is that you need to log in to use the search engine, so each search is tied to a unique user. Given that payment is involved, each user can be tied to a real-world identity.


>so each search is tied to a unique user

Is it? They say searches aren't tied to account: https://help.kagi.com/kagi/privacy/privacy-protection.html#e...


The link says that they do not _log_ the searches tied to accounts, but they do receive enough information to cross reference this data.


> They do not take security and privacy seriously

Anything specific about the privacy angle?


So which search engine do you recommend that takes privacy seriously and that actually works (i.e. doesn't block me and return correct results) in Norway?


Maybe MetaGer if you can live with their quality


That was why I mentioned "return correct results".

At the moment I am aware of two search engines available to me that doesn't try to drive me crazy by wasting my time on irrelevant results:

- kagi.com

- and search.marginalia.nu

and the second one, while being honest and high quality, has a rather limited index.


Marginalia Search's still a bit hit and miss. Haven't really actively been working on the search result quality lately, been too busy with various chores away from the actual search end of the search engine. It's gotten a bit better, but mostly by accident, through fixing bugs that had knock-on effects on quality.

A directed effort toward unfucking query understanding and index execution is up next on the list of tasks to tackle though. Hopefully it'll make a decent impact.


Unlike Google you still managed to not pull in a irrelevant pages but instead tell the truth whenever you didn't have any results.


Still far better than all the alternatives, no?


Don't get me wrong, I do use kagi. but it's not nearly what I wish it'd be.


The alternatives don't demand your payment details.


You can pay for Kagi using cryptocurrency if you want to pay anonymously.

The alternatives demand your data and/or lets you pay an attention fee by showing you ads or irrelevant results.


Like Google? Whose entire business model is pilfering that data without asking you? And who also asks you constantly to attach a phone number to your account, etc.?


Google works in an incognito window, DDG even works over Tor.

Neither is perfect, but it's hard to do worse than "you have to be logged in with an account associated with your payment details".


Which privacy ?


I don't want that?


Well if you attack his friends, it's not okay, but if you go which death upon 'the leftists' he wouldn't say a thing, I bet


As the article says, a single leftist saying "millionaires should be guillotined" should be taken very seriously.

But him saying <specific, named people> should "die slow" shuold be taken as just a joke, bro.

Hmmm.


Dude can move so many millions around I'd shit my pants if he tells me to die slow.


In such case, my pants would be in laundry too, but I (perhaps mistakenly) assume writing angry comments about politicians - up to and including even worse kind of violent wishes - are kind of normal since forever, and nothing ever comes of it. Maybe I'm misjudging the power/prominence of Garry Tan (of whom I never heard of before today) relative to SV politicians?


oh man I didn't know I'd hate this guy :D


There's another tool like this called horcrux, which I find to be a better name personally.


=cmd|' /C calc'!A0


C is unsafe


Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: