Oddbean new post about | logout
Jason Parker (he/they) | 1 years ago (raw) | export | reply | flag +14 
 Fuck it. #YOLO

#Bluesky continues to be entirely non-responsive to the numerous security vulnerabilities I've reported to them, so I spent the evening writing up a nice README and a framework with exploit modules, and just made it all public.

Have fun.

https://github.com/qwell/bsky-exploits

#infosec #security

https://cdn.fosstodon.org/media_attachments/files/111/057/332/195/828/362/original/4abe37085dda1534.png
Terence Eden | 1 years ago (raw) | root | parent | reply | flag 
 @86242b72 Ha! I reported the exact same thing to Twitter 4 years ago.
https://shkspr.mobi/blog/2019/03/scammers-abusing-twitter-cards-via-redirects/
Wankers.
Peter Krupa | 1 years ago (raw) | root | parent | reply | flag 
 @86242b72 @81a354c5 lmao
Jason Parker (he/they) | 1 years ago (raw) | root | parent | reply | flag 
 Fun bonus fact: There are two little secrets hiding in plain sight on that screenshot.

1) There are RTL character shenanigans that cause my name to wrap around my handle.

2) My handle is literally not valid.  It's technically @https.s3.aws.amazon.com (😏), but they changed it in part of the system to @handle.invalid, which makes the site put in that nice ugly "⚠️Invalid Handle" text.
trustno1 | 1 years ago (raw) | root | parent | reply | flag 
 After all "Bluesky is a public social network" lmao
Psilocyberbull | 1 years ago (raw) | root | parent | reply | flag 
 Ahhh cant zap. Love seeing some infosec stuff on here finally!
bronze | 1 years ago (raw) | root | parent | reply | flag 
 @86242b72
"If I pull that off will you die?"
"It would be extremely painful."
"You're a big guy-"
"For you."

https://pl.kitsunemimi.club/media/70f997811eb65f254df98eec68c91f3de9800515645b2fa62486f0ee6bf47ee9.jpg

https://pl.kitsunemimi.club/media/2ebd14bb6e0b32dc91551119f7acc124a28717e5546cfdd925db81dbbf0eed71.jpg
They call me Spitfire :pepeOK: | 1 years ago (raw) | root | parent | reply | flag 
 @86242b72 
Cool mask bro

https://poster.place/media/8d70f75a3d56ec9b76111a03d78df5dd062ff7368a803f56d9d18cabf0a4d216.mp4
Jason Parker (he/they) | 1 years ago (raw) | root | parent | reply | flag 
 Paul Frazee, a developer at Bluesky, has publicly responded to somebody about this issue (...they still have not contacted me, however).

I could not disagree more, but there you have it.

https://cdn.fosstodon.org/media_attachments/files/111/059/897/393/846/887/original/d94425dceb2104cc.png
David Koff (he/him) | 1 years ago (raw) | root | parent | reply | flag 
 @86242b72 

Good on ya. I so love this. 

As if ANYONE actually expected anything of quality from Jack “My own Twitter account got hacked” Dorsey. 

https://techcrunch.com/2019/08/30/someone-hacked-jack-dorseys-own-twitter-account/
Sinclair-Speccy | 1 years ago (raw) | root | parent | reply | flag 
 @86242b72 Kinda funny to think that one of the people who hates me uses BlueSky…
James | 1 years ago (raw) | root | parent | reply | flag 
 @86242b72 
They still think it's nothing.

"We know about these. We have mitigations planned. We don’t think they’re cause for huge alarm."

https://news.ycombinator.com/item?id=37517842