Readit News logoReadit News
hackermondev commented on We pwned X, Vercel, Cursor, and Discord through a supply-chain attack   gist.github.com/hackermon... · Posted by u/hackermondev
jdsleppy · 2 months ago
Doesn't stealing the cookies/token require a non-HTTP-only session cookie or a token in localstorage? Do you know that Discord puts their secrets in one of those insecure places, or was it just a guess?

I believe if you always keep session cookies in secure, HTTP-only cookies, then you are more resilient to this attack.

I interviewed frontend devs last year and was shocked how few knew about this stuff.

hackermondev · 2 months ago
Discord puts the authentication token in local storage
hackermondev commented on We pwned X, Vercel, Cursor, and Discord through a supply-chain attack   gist.github.com/hackermon... · Posted by u/hackermondev
rainonmoon · 2 months ago
Nice! So the Cookie is accessible by JavaScript on all of those sites? That would be pretty surprising given the prevalence of HttpOnly, so that doesn't seem clear to me at all. And they're all using Cookie-based auth, you think? You're a bug bounty hunter so I'll defer to your wisdom, but doesn't it seem more likely that an account takeover would be possible via a state-changing request from the user's existing session? Let's say they can abuse it to reset the user's password. Nice, that's an account takeover... for every user not using MFA. But then there are anti-CSRF mitigations. Okay, not insurmountable with an XSS, but implemented differently everywhere. And what if the auth domains are separate to the domain on which the XSS is triggered? Man this seems to get less clear by the minute. Please clear this up for me.
hackermondev · 2 months ago
the impact varied by customer. in Discord's case, the auth token is stored in local storage and their docs is hosted on the primary domain; they were susceptible to a full account takeover. X's docs are on a different subdomain but we found a CSRF attack that could facilitate a full account takeover. most companies were significantly affected in one way or another.
hackermondev commented on We pwned X, Vercel, Cursor, and Discord through a supply-chain attack   gist.github.com/hackermon... · Posted by u/hackermondev
rainonmoon · 2 months ago
You're pretty much on the money. Reflected XSS requires social engineering to really target anyone without other primitives. Unfortunately this report is not very clear about the tangible impacts or limitations of what they could do with this particular XSS either. Saying that every Mintlify customer was "vulnerable to account takeover with a single malicious link" strikes me as specious to say the least. Still, can't fault kids for getting excited about recognition and a payout.
hackermondev · 2 months ago
imo, the impact is pretty clear here. an unsuspecting user clicks (or is redirected) to one of these malicious links on the platform (ex. vercel); the script grabs their cookie and credentials and sends it to the attacker. they now have full access to the victim's account.
Posted by u/hackermondev 2 months ago
We pwned X, Vercel, Cursor, and Discord through a supply-chain attackgist.github.com/hackermon...
hackermondev commented on Show HN: Rust macro utility for batching expensive async operations   github.com/hackermondev/b... · Posted by u/hackermondev
bombela · 6 months ago
Need to explain in the readme what it does, and what for.

Why would I need such an abstraction? What is the cost?

Why is that any better than calling the function with a single argument in the first place?

I assume here it is maintaining a vector of futures and and a sibling vector of input values. And when this vector reaches the window size or something like that, it calls the original function with must returns a vector of results, which are then used to resolve the futures.

hackermondev · 6 months ago
Thanks for the feedback, I've updated the README!
hackermondev commented on Show HN: Rust macro utility for batching expensive async operations   github.com/hackermondev/b... · Posted by u/hackermondev
luckystarr · 6 months ago
The API is great. Will definitely try it out. I have a use case already. How difficult would it be to extend this to support timed flushes? Like, every 200ms or so, regardless the fill of the buffer?
hackermondev · 6 months ago
That's what the `window` option does (https://github.com/hackermondev/batched?tab=readme-ov-file#b...). After the first item is added to the buffer, it waits for the maximum window time, then calls the inner function with the buffer fill.
hackermondev commented on Show HN: Rust macro utility for batching expensive async operations   github.com/hackermondev/b... · Posted by u/hackermondev
catlifeonmars · 6 months ago
Are window sizes dynamic, or do they need to be specified at build time?
hackermondev · 6 months ago
Need to be specified at build time, but you can set a dynamic window length based on the current buffer length. https://github.com/hackermondev/batched?tab=readme-ov-file#b...
Posted by u/hackermondev 6 months ago
Show HN: Rust macro utility for batching expensive async operationsgithub.com/hackermondev/b...
hackermondev commented on GCP Outage   status.cloud.google.com/... · Posted by u/thanhhaimai
alexcroox · 8 months ago
Cloudflare KV is also having an outage. I wonder who is reliant on who here.
hackermondev · 8 months ago
seriously doubt Google Cloud is relying on Cloudflare KV lol
hackermondev commented on 0-click deanonymization attack targeting Signal, Discord, other platforms   gist.github.com/hackermon... · Posted by u/hackermondev
some_furry · a year ago
Ah, that's true. They even have HackerOne activity from 8 years ago: https://hackerone.com/daniel/hacktivity?type=user

So either they lied about their age then in order to join social media and they're some sort of child prodigy... or they're lying now.

hackermondev · a year ago
that's a hackerone bug, that 8-year-old report is not mine :)
h

u/hackermondev

KarmaCake day1107June 7, 2021
About
breaking stuff https://hackerone.com/daniel
View Original