@reporturi profile picture
Report URI @reporturi

Client-side security to control what code actually runs on your website.

Joined April 2015
  • Tweets 610
  • Following 4
  • Followers 3,788
55 Photos and videos
We’ve open-sourced passkeys-php, the WebAuthn library we use at Report URI, to help the community deploy passkeys more easily and safely. Small. Auditable. MIT licensed. Built for real-world PHP apps. Our founder, @Scott_Helme, shared the details today: scotthelme.co.uk/open-sourci…

Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP

We've open-sourced passkeys-php, the WebAuthn server library we use at Report URI to protect logins with passkeys, security keys, and platform authenticators like Touch ID, Face ID, and Windows...

scotthelme.co.uk
3
5
3,372
Report URI retweeted
Scott Helme
@Scott_Helme
May 19
I didn't realise it was so trivial for an XSS vulnerability to allow an attacker to register their passkey on your account! scotthelme.co.uk/xss-is-dead…

XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None

A single XSS vulnerability can turn passkeys from a phishing-resistant login mechanism into a persistent account takeover backdoor. If malicious JavaScript can run on your page, it may be able to...

scotthelme.co.uk
2
17
80
30,444
Great research from our founder, @Scott_Helme, on one of the hidden risks of passkeys. Passkeys reduce phishing risk, but malicious JavaScript in the browser can abuse registration flows and create persistent account takeover risk. Client-side visibility matters. scotthelme.co.uk/xss-is-dead…

XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None

A single XSS vulnerability can turn passkeys from a phishing-resistant login mechanism into a persistent account takeover backdoor. If malicious JavaScript can run on your page, it may be able to...

scotthelme.co.uk
1
11
3,684
Passkeys are becoming a major part of how we secure accounts online, but there’s still a lot of confusion about what they are, how they work, and what risks remain. Our founder, @Scott_Helme, has written a short introduction to Passkeys to set the scene before we publish some deeper technical posts this week. A simple starting point before we get into the details. scotthelme.co.uk/passkeys-10…

Passkeys 101: An Introduction to Passkeys and How They Work

Passwords have been the weak point in online authentication for decades. They can be reused, guessed, stolen, phished, leaked, sprayed, stuffed, and captured by malware. Passkeys are one of the first...

scotthelme.co.uk
1
5
789
A checkout page can look secure, work normally, and still be stealing customer payment data. In this post, @Scott_Helme breaks down a real-world JavaScript compromise where attackers modified a trusted file to skim card data directly from the browser — and why organisations need visibility into the code running in the browser. Read the post: scotthelme.co.uk/anatomy-of-…

Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive

One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to criminals while the website looks secure and continues...

scotthelme.co.uk
1
4
2,644
A breach claim against Report URI turned out to be false - but the passwords were real. In his latest post, our founder @Scott_Helme explains how info-stealer malware changes the threat model, why strong password storage alone isn’t enough, and how we’ve improved account protection when compromised credentials appear in the wild. Read more: scotthelme.co.uk/under-attac…

Under Attack: Responding to the Rise of Info-Stealer Threats

We recently received a claim that Report URI had been breached and that customer credentials had been stolen. The claim was false: we do not store passwords in a recoverable format. But the credent...

scotthelme.co.uk
4
3
5
763
Q2 is off to a busy start at Report URI 🚀 Our April 2026 newsletter is now live, covering: 🔹 API and MCP endpoints now Generally Available 🔹 Audit Trail events to Webhook 🔹 Custom Fingerprints for JavaScript Integrity Monitoring 🔹 Audit Archive for JS assets 🔹 Reporting API support in @firefox 🔹 Deeper CSP inspection 🔹 Passkeys research, testing and our new whitepaper 🔹 New Threat Intelligence research Read the full update here: blog.report-uri.com/newslett…

Newsletter - Apr 2026

As we continue to push into 2026, we’ve maintained our pace of improving existing features and introducing new ones. API and MCP endpoints - now Generally Available 🤖 Our API and MCP endpoints are...

blog.report-uri.com
1
2
1,611
The @NCSC is right to push passkeys. They’re a huge step forward for authentication: phishing-resistant, no shared secret on the server, far better than passwords in many ways. But passkeys don’t make your application trustworthy after login. You still need to deal with session abuse, XSS, CSRF, malicious passkey registration, and transaction manipulation. Our founder @Scott_Helme wrote about the security considerations teams need to think about when rolling out passkeys and published a white paper: scotthelme.co.uk/security-co… #CYBERUK26

Security considerations when using Passkeys on your website

Passkeys are awesome and that's why we implemented them on Report URI! You can read about our implementation here and get the basics on how Passkeys work and why you want them. In this post, we're...

scotthelme.co.uk
1
1
4
3,541
We're at @CYBERUKevents today, booth G13, so stop by to talk about Passkeys and how we can help.
1
232
Here's a great talk at @BSidesLondon by @NCSC on the value of Passkeys and some of the remaining risks, definitely worth a watch: youtube.com/watch?v=XNotnFXF…

A Technical Evaluation Of Real-World Passkey Security: Why They’re...

Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.

youtube.com
254
Good morning Glasgow! 🏴󠁧󠁢󠁳󠁣󠁴󠁿 Come and find us at @CYBERUKevents booth G13 and see how we can show you exactly what code is running on your website. 👨‍💻 #CYBERUK26
3
1,331
The Report URI refresh is live! 💙🧡 New homepage, refreshed product case study pages, all-new social cards across the site, and more. Same mission: catching the third-party code your website is running that you don't control. ➡️ report-uri.com
4
1,687
🚨 Potentially Suspicious Domain We've detected a new pattern of external communications with antespirit\.com which was registered a few days ago! (10 Apr 2026)
3
3
1,503
🚨 Potentially Suspicious Domain We've detected a new pattern of external communications with gadstat\.com which was registered yesterday! (12 Apr 2026)
1
2
1,294
We're tracking an active Magecart campaign targeting ecommerce sites. The malware hides from admins, adapts to the platform, and changes how it steals payment data! Write-up: scotthelme.co.uk/fighting-an…

Fighting an active Magecart Campaign

We’ve been tracking an active Magecart campaign targeting ecommerce sites, with payloads customised per victim and evasion logic designed to stay hidden from site owners. We spotted it because we...

scotthelme.co.uk
1
7
2,462
We uncovered a malicious browser extension injecting JavaScript Malware into pages, hijacking clicks, and monetising user traffic right inside the browser! scotthelme.co.uk/amazing-ref…

Amazing Refresh — A Malicious Chrome Extension Running Malware in the Browser

We recently uncovered a malicious browser extension affecting visitors to customer websites. It injected JavaScript into pages, hijacked outbound clicks through affiliate infrastructure, and quietly...

scotthelme.co.uk
1
2
4,056
Our founder has just published a write-up on having our Passkeys implementation independently security tested. Auth is too important to just ship and hope for the best, so we brought in the experts! scotthelme.co.uk/bringing-in…

Bringing in the experts; Having our Passkeys implementation Security Tested

We recently announced support for Passkeys on your Report URI account, and everyone should go and enable Passkeys for the amazing security benefits they offer. As a new implementation of an authent...

scotthelme.co.uk
1
1
3
819
Report URI retweeted
Scott Helme
@Scott_Helme
Mar 30
Our March update was a big one! 😎 🤖 API and MCP Endpoints 🔑 Passkeys support 📈 Report Sampling 🛡️ Integrity Suite 📋 Audit Trail 👀 Visual updates And loads more! cc @reporturi blog.report-uri.com/newslett…

Newsletter - Mar 2026

Both January and February were big months for us at Report URI HQ, and we have continued to push forwards in March! API and MCP endpoints - beta invites! 🤖 Starting out with what has to be our most...

blog.report-uri.com
1
4
814
We’re inviting customers to join the beta for our new API and MCP integrations. Bring Report URI data into AI assistants, automations, dashboards, and custom security tooling. Want in? Details in our newsletter: blog.report-uri.com/newslett…

Newsletter - Mar 2026

Both January and February were big months for us at Report URI HQ, and we have continued to push forwards in March! API and MCP endpoints - beta invites! 🤖 Starting out with what has to be our most...

blog.report-uri.com
1
3
1,741
At the scale we operate at Report URI, “one in a billion” problems can happen every single day! In our founder's latest blog post, we share some of the challenges that come with operating Redis at scale, and what it takes to keep a high-volume telemetry pipeline fast and resilient. scotthelme.co.uk/when-one-in…

When “One in a Billion” Happens Every Day: Scaling Redis at Report URI

Something that I've come to learn as we continue to grow Report URI is that everything is easy until scale makes it hard. We're now processing so much telemetry that a "one in a billion" problem can...

scotthelme.co.uk
2
1,699
Load more