Just a lvl 27 guy from 🇫🇮 Finland. Full-stack web developer and Scrum Master by trade, but more into server-side programming, networking, and sysadmin stuff.
During the summer, I love trekking, camping, and going on long hiking adventures. Also somewhat of an avgeek and a huge Lego fanatic.
Compare your actions to releasing a 0-day exploit for a security vulnerability instead of responsibly disclosing. It doesn’t help, it just causes chaos until the people who do the actual work can figure out a solution.
This comparison is not fair at all. It’s not like the devs are unaware of this. They could start by removing the API endpoint that lists a post’s votes, but they haven’t, which means they seem to think it’s okay for the instance admins to snoop on votes if they so wish.
The website (Telegram in this case, but can be any website) adds a specifically crafted text to the clipboard and then tricks the user into pasting that text into the Windows Run dialog, which can be used to execute any command(s), basically like a command prompt.
The text the attacker places in the clipboard is actually a command to download and execute an executable file from the internet, giving the attacker remote access to the system or whatever the payload happens to be.
It’s a pretty clever trick. Perhaps MS should consider adding a warning before allowing pasting into the Run dialog or cmd for the first time. They already have this in the Edge browser console.
the malicious package was added to PyPi last year in June and has been downloaded 885 times so far.
That’s a pretty long time to go undetected. Makes you wonder how many other similar packages there currently are, yet to be discovered, in PyPi, npm and others.
Pretty sure any decent model could easily solve that anyways.
True, but often these things also track the mouse movements or touch inputs and analyse those to see if they match natural human input or not. Of course advanced AI would be able to simulate proper inputs but most bots today would fail this check.
Is it just me or does it feel that 2024 has not been a very good year in aviation safety? It seems that almost every month there’s news about some major crash or incident and then of course there was the whole fiasco with Boeing
My main issue with CVEs nowadays is that it seems one gets generated even when 99% of the use cases for the software in question are not vulnerable as the vulnerability requires a very specific configuration/circumstances/etc. to be exploitable. In large projects with lots of dependencies this adds a lot of noice and there’s a risk that actual important CVEs go unnoticed.
I remember reading an article about how we’re already able to simulate basic tastes, like sweetness and sourness, digitally. So just you wait, we might have lickable HTML elements in the future
That’s reassuring to know. What I don’t understand is why you have the
/api/v3/post/like/listroute. You say you don’t want votes to be snooped on, but then you add an endpoint that makes it very easy for instance admins to do exactly that if they choose to? Also worth pointing out that the tool linked here wouldn’t work in its current form if this route didn’t exist.