Conversation

Notices

1. Embed this notice
   CrunkLord420 (crunklord420@rdrama.cc)'s status on Saturday, 27-May-2023 04:29:38 JST CrunkLord420

   • Alex Gleason
   @alex would have running uMatrix immunize users (admins) against the XSS exploit? It ultimately relies on cross-domain network communication, right?
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 04:29:38 JST Alex Gleason

     in reply to
     @crunklord420 Not sure what uMatrix is, but the exploit relies specifically on same-domain communication.
   • Embed this notice
     CrunkLord420 (crunklord420@rdrama.cc)'s status on Saturday, 27-May-2023 04:37:11 JST CrunkLord420

     in reply to

     • Alex Gleason
     @alex the javascript might come from the same domain, but exfiltration of the authentication token requires you to submit it to a third party server, correct? Unless you inject a script to exfiltrate the data over ActivityPub itself.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 04:37:11 JST Alex Gleason

     in reply to
     @crunklord420 Nope. It hits /api/v1/accounts/lookup where the username is the OAuth token encoded to look like a Nostr pubkey @ mostr.fedirelay.xyz. This causes your server to make a federation request where they simply monitor the logs and pull the token out of the username... absolutely nuts. Read the code. https://i.poastcdn.org/4ed28ef4fa5e18bfa5c1f75a5c1cc759f7b718c0b600e7e2fcc6d0cdb0215f15.txt
   • Embed this notice
     Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 27-May-2023 04:39:30 JST Fediverse Contractor

     in reply to

     • 
     • Alex Gleason
     Why does it run at all tho? It’s just a file.
   • Embed this notice
      (mint@ryona.agency)'s status on Saturday, 27-May-2023 04:39:31 JST 

     in reply to

     • Alex Gleason
     @crunklord420 @alex Not unless the payload is either pulled from mediaproxy or uploaded locally.