Craigslist type site for domain/website asks for my selfie with identification card – Unsafe?

Flippa is a website that lets sellers of domains and website list their properties for sale. They do not handle funds, escrow d0t com and/or paypal handles the sales. After taking my money for listing (250) I was able to sell my website. When it came to finish sale, told me that in order to proceed to escrow d0t com that I must: Upload selfie with my govt id, scan both sides of id, AND also do a "liveness video." I was a bit alarmed and looked in the their partner. They use a company that does KYC verification. Find it strange flippa, a non-financial company, is using KYC. Anyway the company they use claims to be based out of London. Which is is not true, their address in London is paid virtual business office. They are a Russian company, with russian founders and employees. No hate on Russia but as an American I am not comfortable uploading all this private info JUST to complete a website sale!

Is this even legal for Flippa to do? Flippa also says they store the information I sent them. I don’t like that they only ask me to complete this AFTER they have my money.

TL;DR A company that offers listing service for domains wants my selfie with my govt id. They use verification service that obscures that they’re based in Russia. Is this safe?

Is unicode character encoding a safe alternative for html encoding when rendering unsafe user input to html?

I am building a web application in which a third party library is used, which transforms the user input into JSON and sends it to an controller action. In this action, we serialize the input using the standard Microsoft serialize from the System.Text.Json namespace.

public async Task<IActionResult> Put([FromBody]JsonElement json) {     string result = JsonSerializer.Serialize(json); } 

However currently, the json is rendered back to the page, within a script block and using @Html.Raw(), which raised an alarm with me, when I reviewed the code.

While testing if this creates an opening for script injection, I added

<script>alert("HACKED");</script> 

to the input. This input is transformed into

\u003Cscript\u003Ealert(\u0027HACKED\u0027);\u003C/script\u003E 

when serialized.

This look fine. Rendering this to the page does not result code execution, when I tested that.

So, is unicode character encoding really a good protection against script injection, or should I not rely on it?

Is it conceivable that unicode encoding is lost somewhere during processing? Like (de)serializing once more, etc?

This seems like a question that has been asked and answered before, but I couldn’t find it.

LinkedIn connection marked unsafe

From time to time my LinkedIn connection gets marked as unsafe: no green lock next to the URL.

First, I believed this was a browser issue, but after I switched to another browser, the warning did not disappear (for now, my browsers are Opera and Chrome).

First, connection is always safe, but once I enter job search section and start scrawling through job offers, every now and then, although not often, the safe connection status turns into unsafe. Any one has an idea of what may cause such change?

Thanks for your attention.

The enclosed images further illustrate my question.

enter image description here

enter image description here

Is it really that unsafe to store passwords in a text file on my computer?

These days, we have pretty secure systems.
I have a mac with T2 security chip and the whole disk is encrypted via FileVault.
iPhones are known to be pretty secure, with even FBI having a hard time breaking in.
Windows machines can be encrypted with BitLocker or VeraCrypt.
With these kinds of systems, is it really that unsafe to store passwords in a text file? for an average individual user?
Of course if I’m operating a server or anything like that, I would definitely need better security. But I was wondering how much security does and average individual user really need?

Google’s “Cross-client identity” seems unsafe

From Google’s Cross-client identity document:

Cross-client access tokens

[…]

The effect is that if an Android app requests an access token for a particular scope, and the requesting user has already granted approval to a web application in the same project for that same scope, the user will not be asked once again to approve. […]

This seems unsafe. The server-side app is able to do a more secure form of OAuth authorization, because it can protect its client secret. An Android app’s OAuth flow is less safe, since an attacker can always decompile the binary and steal any embedded tokens.

This is the scenario I’m worried about:

  1. I register two client IDs, one for my server-side web app and one for my Android app.
  2. User X authorizes my server-side app.
  3. An attacker steals the Android app’s OAuth-related tokens.
  4. The attacker sends user X through the OAuth flow using the stolen tokens, and Google doesn’t ask for approval.
  5. The attacker now has an access token to user X’s account.

Am I misunderstanding something here?

Some input files use unchecked or unsafe operations. Clean and Build error: Netbeans

Tengo un problema que apareció desde que empece a utilizar la clase Class Render para cambiar la fila de color en mi JTable en java (Netbeans), No es un error grave si no que es un mensaje que aparece al darle Clean and Build en la consola y es el siguiente:

Note: Some input files use unchecked or unsafe operations. 

Note: Recompile with -Xlint:unchecked for details.

Este “error” aunque me permite correr mi programa normalmente en cualquier computador tiene una particularidad y es que en mi PC si aparece las filas de color y en los otros PC en los que lo también lo ejecuto: ¡NO!. He intentado buscar una explicación en ingles pero no he logrado nada, cualquier ayuda me serviría. Gracias

What to do after visiting unsafe site

I’m sorry if this isn’t the place to ask this, but there doesn’t seem to be a web security stack exchange site, so this looks like the closest thing to me. If there’s a better place to put this question please let me know.

I’m using Firefox on Ubuntu and I accidentally clicked an ad that took me to an obvious scam site. There’s no changed behavior on my computer, but just to be safe I’d like to know what you should do after visiting an unsafe site. Thanks

Is it unsafe to enter administrative Windows credentials when logged in as a regular user?

I was recently advised that when a user is logged in as a regular user and they need an administrator to do something (i.e. install an application) that entering the administrator credentials when the regular logged in user is still logged in, puts the credentials at great risk and logging out as the regular user and logging in as the administrator is the recommended course of action. Is this correct?