hackerpain | 5 years ago | on: Pidgin – A Universal Chat Client
Using it since a decade, I faced bugs in the PGP encryption add on, they need to work on a lot of things to make it secure. This is my go-to Jabber client.
hackerpain's comments
hackerpain | 5 years ago | on: Linux Mint fixes screensaver bypass discovered by two kids
How does this kind of vulnerability even remain, after code reviews?
Is it hard to spot?
hackerpain | 5 years ago | on: Stealing Your Private YouTube Videos, One Frame at a Time
This bug was found by my friend. David has found many creative bugs and we worked on a project together :)
Must say a quick thinker, and he's just 17 or 18.
hackerpain | 5 years ago | on: Breaking the Google Audio ReCAPTCHA with Google's Own Speech to Text API
I think ReCaptcha has been like this since at least last 6 years. Are they copying research?
https://www.youtube.com/watch?v=_RDXtILdkV0&persist_app=1&ap...
hackerpain | 5 years ago | on: Testing a Proof of Concept of security bug
Please ignore
hackerpain | 5 years ago | on: Is Slack Going through a DDoS attack?
they haven't mentioned if an API (or, endpoint) is being DDoSed, just an incident update?
hackerpain | 5 years ago | on: Slack is down
Indeed.
hackerpain | 5 years ago | on: Ask HN: How did you turn your failed business model into a successful venture?
We spent like 12 years trying to create a medium sized business in electronics and we were at that time in an era when mobile phones were still getting popular. It was a nascent stage of refurb smartphone industry but even then it was a steep climb for us!
But there are companies operating in the same segment that started later, with VC and investor backing who rose quite fast.
hackerpain | 5 years ago | on: Ask HN: How did you turn your failed business model into a successful venture?
That's quite hard because getting established in one trade in the industry itself takes a lot of time and effort.
hackerpain | 5 years ago | on: Ask HN: How can I use my phone to create things rather than consume them?
Install code-server (https://github.com/cdr/code-server) on a server, and using it in your phone's browser to develop small web apps (works well in landscape mode with 6 -6.7 inch phones)
If you have a powerful processor and adequate RAM - you can do almost any thing that you do on desktop/pc
hackerpain | 5 years ago | on: Stealing private documents through a bug in Google Docs
I am sorry but that can ruin your career as its illegal. You can't sell or, trade vulnerabilities on live websites like Google as per the terms and conditions of the Google VRP (Responsible Disclosure policy) while it may seem unfair, its illegal to do so.
hackerpain | 5 years ago | on: Stealing private documents through a bug in Google Docs
docs.google.com didn't have X-Frame-Options: DENY nor a restrictive CSP so I think its a browser quirk (rather, a clever bypass) that works here. Also, the author had exploited a postMessage flaw which wasn't validating the host name properly that led to the cross-origin leak of screenshot data
Check this out https://youtu.be/KpkrTUHoWsQ (video about URL validation bypass and SOP)
hackerpain | 5 years ago | on: Stealing private documents through a bug in Google Docs
Google VRP team has a tradition to reward 4 figure and 5 figure amounts to match 1337 or, L33T (Leet or, Elite).
Example bounty amounts - $1337, $3133.7, $13337 and $31337
hackerpain | 5 years ago | on: Stealing private documents through a bug in Google Docs
this one technically requires some user interaction
Anyway, in the past I found a way to takeover an organization account in Google cloud acquisition and they rewarded me $100, saying their "Panel" decided that, Google's VRP panel sucks, so you're right about that.
hackerpain | 5 years ago | on: Hackers last year conducted a 'dry run' of SolarWinds breach
SolarWinds earlier said the backdoored binaries were put into their servers in March 2020, and hinted that the breach happened in 2020 but seems like the breach happened way before.
See related thread regarding the 2018 credentials leak - https://news.ycombinator.com/item?id=25442734
hackerpain | 5 years ago | on: Ask HN: How do buffer overflows still happen in spite of ASLR?
Yes but how does that work? i have heard of unexploitable overflows how does that work?
and hey: Your username tricked me.
hackerpain | 5 years ago | on: SolarWinds leaked FTP credentials through a public GitHub repo since 2018
It's not. They may have a private program, don't know.
hackerpain | 5 years ago | on: SolarWinds leaked FTP credentials through a public GitHub repo since 2018
AWS now sends emails if you commit access keys, even better they are catching loads of other sensitive info having privileged access to the GitHub API. Cool and creepy at the same time, right?
hackerpain | 5 years ago | on: SolarWinds leaked FTP credentials through a public GitHub repo since 2018
The researcher added there may be some certificates exposed in that repo which may have been used to sign the binaries. It's still a relevant update.
Especially the information that the repo was archived by Web Archive back in 2018. It's not easy to know the "who" but the how can be speculated and investigated.
hackerpain | 5 years ago | on: SolarWinds leaked FTP credentials through a public GitHub repo since 2018
It's useful but yeah a ton of false positives :)
Most common false positives appear to be the test values.
page 1