Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Saturday, 27-May-2023 04:13:48 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:
- T man :sex: :puffgiga: :puffpowerroll:
@theorytoe also you're affected if you use a media proxy

In conversation Saturday, 27-May-2023 04:13:48 JST from mstdn.starnix.network permalink
- Embed this notice
  john paul grips (grips@cawfee.club)'s status on Saturday, 27-May-2023 04:13:45 JST john paul grips
  in reply to
  - Gabe
  - T man :sex: :puffgiga: :puffpowerroll:
  @kirby @gabriel @theorytoe phew!
  In conversation Saturday, 27-May-2023 04:13:45 JST permalink
  Attachments
  1. Untitled attachment
    https://cawfee.club/media/277968f8ea6b71d8e9ab44b74bd3565af2db63330ecef8a56c2f1c4861f56286.png
- Embed this notice
  mist (ai@cawfee.club)'s status on Saturday, 27-May-2023 04:13:45 JST mist
  in reply to
  - john paul grips
  @grips I know nothing about this stuff, but have you seen this post by Gleason?
  
  > Here’s what does NOT work: - Disabling the media proxy on its own. The media proxy does appear to be vulnerable, but it cannot be the only action you take.
  
  https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO
  In conversation Saturday, 27-May-2023 04:13:45 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: media.gleasonator.com
    
    Alex Gleason :soapbox: (@alex@gleasonator.com)
    
    Pleroma / Akkoma / Rebased need to be patched, but here’s how you can secure your site without any code changes:yoursite.com/media -> media.yoursite.com yoursite.com/proxy -> proxy.yoursite.comTo d...
  Fediverse Contractor likes this.
- Embed this notice
  Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Saturday, 27-May-2023 04:13:46 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:
  in reply to
  - Gabe
  - T man :sex: :puffgiga: :puffpowerroll:
  @gabriel @theorytoe it's exactly what I'm thinking
  
  In conversation Saturday, 27-May-2023 04:13:46 JST permalink
- Embed this notice
  Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Saturday, 27-May-2023 04:13:47 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:
  in reply to
  - T man :sex: :puffgiga: :puffpowerroll:
  @theorytoe because... ya know... it stores it on the server
  
  In conversation Saturday, 27-May-2023 04:13:47 JST permalink
- Embed this notice
  Gabe (gabriel@mk.gabe.rocks)'s status on Saturday, 27-May-2023 04:13:47 JST Gabe
  in reply to
  - T man :sex: :puffgiga: :puffpowerroll:
  @kirby@mstdn.starnix.network
  People keep asking how it got executed.
  Am I a dunce for assuming that seeing the post with the attachment is enough?
  @theorytoe@ak.kyaruc.moe
  
  In conversation Saturday, 27-May-2023 04:13:47 JST permalink
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 27-May-2023 04:18:44 JST Fediverse Contractor
  in reply to
  - john paul grips
  - mist
  There’s also another hack, rip cawfee club smh.. https://seal.cafe/@lain@lain.com/posts/AW3ThoLlrYxCI8RjI8
  In conversation Saturday, 27-May-2023 04:18:44 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: proxy.seal.cafe
    
    Dirty Boy (@lain@lain.com)
    
    Alright, we found a second exploit that is much worse than the first one I found, it involves a bug in our oembed parser. A new release is being prepared right now. Unless there's a third exploit, ...

Public

Conversation

Notices

Feeds