Scott Helme

1. Why No Passkeys? Naming the Top Sites That Still Don't Support Them

   Back in 2017, Troy Hunt and I built a little website called whynohttps.com. The idea was simple: take the most popular sites on the internet, check which ones still weren't redirecting visitors to HTTPS, and put the laggards on a list for everyone to see. No lecture,

   Published Mon, Jun 22, 2026

2. The Instructure Canvas Breach (2026): How XSS in a Support Ticket Compromised 275 Million Students

   A single support ticket became the front door to 275 million student records. The Canvas breach shows how quickly untrusted user content can become a serious security incident when it is rendered inside privileged internal tooling. This was not an exotic attack chain; it was stored XSS, over-scoped access…

   Published Mon, Jun 15, 2026

3. Open-Sourcing dbsc-php: a Server Library for Device Bound Session Credentials in PHP

   We’ve open-sourced dbsc-php, a small PHP library that makes it easier to deploy Device Bound Session Credentials and turn stolen session cookies into something far less useful. It's MIT-licensed, pure-PHP, and available on Packagist now!What is DBSC?If you'd

   Published Mon, Jun 8, 2026

4. DBSC Beta at Report URI

   This week, I published a blog post about Device Bound Session Credentials, a new technology that will significantly hamper the efforts of Infostealers and reduce the damage caused by stolen cookies. Today, we're announcing the beta of DBSC at Report URI!Device Bound Session CredentialsYou should definitely

   Published Fri, Jun 5, 2026

5. Device Bound Session Credentials: Making Stolen Cookies Useless

   A stolen session cookie can be vastly more powerful than a stolen password. The attacker doesn’t need to phish the user, bypass MFA, or defeat their passkey; they simply replay the cookie and step straight into a fully authenticated session. That’s why info-stealers love browser

   Published Tue, Jun 2, 2026

6. Passkeys, Permissions Policy and Bug Hunting in 1Password's WebAuthn Wrapper

   Passkeys are the best thing to happen to web authentication in years, but a passkey ceremony is only as secure as the stack enforcing it. The browser, the relying party, the authenticator, and any extension sitting between them all need to honour the same rules.While investigating WebAuthn behaviour…

   Published Thu, May 21, 2026

7. Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP

   We've open-sourced passkeys-php, the WebAuthn server library we use at Report URI to protect logins with passkeys, security keys, and platform authenticators like Touch ID, Face ID, and Windows Hello.It started as a set of local security fixes for our own production passkeys implementation. Now,

   Published Wed, May 20, 2026

8. XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None

   A single XSS vulnerability can turn passkeys from a phishing-resistant login mechanism into a persistent account takeover backdoor. If malicious JavaScript can run on your page, it may be able to register an attacker-controlled passkey against the victim’s account. The user sees nothing, the website…

   Published Tue, May 19, 2026

9. Passkeys 101: An Introduction to Passkeys and How They Work

   Passwords have been the weak point in online authentication for decades. They can be reused, guessed, stolen, phished, leaked, sprayed, stuffed, and captured by malware. Passkeys are one of the first mainstream authentication technologies that remove many of those problems entirely, and any website still…

   Published Mon, May 18, 2026

10. Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive

    One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to criminals while the website looks secure and continues to work as normal. That creates serious organisational risk: PCI exposure, regulatory consequences, reputational…

    Published Fri, May 15, 2026

11. Under Attack: Responding to the Rise of Info-Stealer Threats

    We recently received a claim that Report URI had been breached and that customer credentials had been stolen. The claim was false: we do not store passwords in a recoverable format. But the credentials themselves were real, and that made the situation more interesting.They appeared to come from info…

    Published Mon, May 11, 2026

12. Security considerations when using Passkeys on your website

    Passkeys are awesome and that's why we implemented them on Report URI! You can read about our implementation here and get the basics on how Passkeys work and why you want them. In this post, we're going to focus on what security considerations you should have

    Published Wed, Apr 22, 2026

13. Fighting an active Magecart Campaign

    We’ve been tracking an active Magecart campaign targeting ecommerce sites, with payloads customised per victim and evasion logic designed to stay hidden from site owners. We spotted it because we monitor what code actually executes in the browser, not just what a site is supposed to load. What

    Published Mon, Apr 13, 2026

14. Amazing Refresh — A Malicious Chrome Extension Running Malware in the Browser

    We recently uncovered a malicious browser extension affecting visitors to customer websites. It injected JavaScript into pages, hijacked outbound clicks through affiliate infrastructure, and quietly monetised user traffic. We spotted it not because a website was compromised, but because we monitor what…

    Published Tue, Apr 7, 2026

15. Bringing in the experts; Having our Passkeys implementation Security Tested

    We recently announced support for Passkeys on your Report URI account, and everyone should go and enable Passkeys for the amazing security benefits they offer. As a new implementation of an authentication technology, we wanted to be sure that everything was as secure as it should be for our customer…

    Published Thu, Apr 2, 2026