Conversation

Notices

Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 29-May-2023 05:05:11 JST Alex Gleason

Security is built in layers. Dude the Poast vuln was just BARELY able to work. It required a faulty CSP policy, a bad API, and a vulnerable web client (Pleroma FE). These things were all just BARELY faulty enough in just the right way to make this little spark connect and pwn the whole server.
In conversation Monday, 29-May-2023 05:05:11 JST from gleasonator.com permalink
Attachments
1. Untitled attachment
  https://media.gleasonator.com/aa47e46192c2dc9f69ccac6c1102043b9f79149012865cf9623275f62ba97d8c.png
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Monday, 29-May-2023 05:06:14 JST Alex Gleason
  in reply to
  
  If you're using Soapbox on Pleroma exclusively and NOT using Pleroma FE, it appears that you're safe... but you're just barely hanging on by a thread!
  
  In conversation Monday, 29-May-2023 05:06:14 JST permalink
- Embed this notice
  Kirino Kousaka (kirino@seal.cafe)'s status on Monday, 29-May-2023 05:07:32 JST Kirino Kousaka
  in reply to
  
  my favorite part of the foss community is watching foss developers shit on other foss developer's projects.
  
  "bruh ur csp policy is wack and ur web client doesnt sanitize rich elements LMAO"
  
  (nu hate alex i just memeing)
  
  In conversation Monday, 29-May-2023 05:07:32 JST permalink
  
  Alex Gleason likes this.
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Monday, 29-May-2023 05:08:44 JST Fediverse Contractor
  in reply to
  - Mona
  Ppl are going to DM if there’s a DM feature, this sort of thing will probably happen again and ppl will still use it. It should just be encrypted like nostr.
  
  In conversation Monday, 29-May-2023 05:08:44 JST permalink
- Embed this notice
  Mona (mona@frennet.xyz)'s status on Monday, 29-May-2023 05:08:45 JST Mona
  in reply to
  
  @alex@gleasonator.com the leak wouldn't have been that bad if people didn't A: use DMs like that B: use different emails
  
  In conversation Monday, 29-May-2023 05:08:45 JST permalink
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Monday, 29-May-2023 05:09:59 JST Fediverse Contractor
  in reply to
  Is bloat unhackable?
  
  In conversation Monday, 29-May-2023 05:09:59 JST permalink
- Embed this notice
  (mint@ryona.agency)'s status on Monday, 29-May-2023 05:10:01 JST
  in reply to
  
  @alex Bloatchads stay winning.
  
  In conversation Monday, 29-May-2023 05:10:01 JST permalink
- Embed this notice
  :blank: (i@declin.eu)'s status on Monday, 29-May-2023 05:14:38 JST :blank:
  in reply to
  - Fediverse Contractor
  @bot @alex @mint it has suffered xss fails too
  https://git.freesoftwareextremist.com/bloat/commit/?id=469f2d1d25f0b266abb15eab410131ebe1856aad
  In conversation Monday, 29-May-2023 05:14:38 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: git.freesoftwareextremist.com
    
    bloat - A web client for Mastadon Network
  Alex Gleason and Fediverse Contractor like this.
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Monday, 29-May-2023 05:41:00 JST Fediverse Contractor
  in reply to
  Why do svgs even allow javascript in the first place?
  
  In conversation Monday, 29-May-2023 05:41:00 JST permalink
- Embed this notice
  ICScaryThings (icst@clubcyberia.co)'s status on Monday, 29-May-2023 05:41:05 JST ICScaryThings
  in reply to
  @i @alex @mint @bot Its main advantage is it can be run in a JS free web browser since it doesn't require JS to work. So if you run it with no JS you should be immune since it is impossible to exploit a browser with JS if it doesn't have a JS interpreter. You would still be at risk of media exploits though (e.g. pdfs, ect.), but those are bigger deals and the responsibility of the library developers to patch.
  
  PS: JS being allowed to be embedded directly into html is probably one of the dumbest mistakes ever made in the web standards. If it were even simply restricted to the <head> section of the document none of this bullshit would be possible for any website since user generated content is never present there.
  
  In conversation Monday, 29-May-2023 05:41:05 JST permalink
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Monday, 29-May-2023 06:09:36 JST Fediverse Contractor
  in reply to
  Scripting what tho?
  
  In conversation Monday, 29-May-2023 06:09:36 JST permalink
- Embed this notice
  MMS21 :blobcatkirby: (mms21@seal.cafe)'s status on Monday, 29-May-2023 06:09:37 JST MMS21 :blobcatkirby:
  in reply to
  @bot @icst @i @alex @mint from wikipedia "SVG uses CSS for styling and JavaScript for scripting." https://en.wikipedia.org/wiki/SVG (TIL)
  In conversation Monday, 29-May-2023 06:09:37 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: login.wikimedia.org
    
    SVG
    
    Scalable Vector Graphics (SVG) is an XML-based vector image format for defining two-dimensional graphics, having support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium since 1999. SVG images are defined in a vector graphics format and stored in XML text files. SVG images can thus be scaled in size without loss of quality, and SVG files can be searched, indexed, scripted, and compressed. The XML text files can be created and edited with text editors or vector graphics editors, and are rendered by the most-used web browsers. Early adoption was limited due to lack of support in older versions of Internet Explorer. However, as of 2011, all major desktop browsers began to support SVG. Native browser support offers various advantages, such as not requiring plugins, allowing SVG to be mixed with other content, and improving rendering and scripting reliability. Mobile support for SVG exists in various forms, with different devices and browsers supporting SVG Tiny 1.1 or 1.2. SVG can be produced using vector...
  Fediverse Contractor likes this.
- Embed this notice
  MMS21 :blobcatkirby: (mms21@seal.cafe)'s status on Monday, 29-May-2023 06:46:16 JST MMS21 :blobcatkirby:
  in reply to
  - Fediverse Contractor
  @bot @mint @alex https://en.wikipedia.org/wiki/Software_bloat This would make it easier to hack as more lines of code means more chances to find vulnerabilities
  In conversation Monday, 29-May-2023 06:46:16 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: login.wikimedia.org
    
    Software bloat
    
    Software bloat is a process whereby successive versions of a computer program become perceptibly slower, use more memory, disk space or processing power, or have higher hardware requirements than the previous version, while making only dubious user-perceptible improvements or suffering from feature creep. The term is not applied consistently; it is often used as a pejorative by end users (bloatware) to describe undesired user interface changes even if those changes had little or no effect on the hardware requirements. In long-lived software, perceived bloat can occur from the software servicing a large, diverse marketplace with many differing requirements. Most end users will feel they only need some limited subset of the available functions, and will regard the others as unnecessary bloat, even if end users with different requirements require those functions. Actual (measurable) bloat can occur due to de-emphasising algorithmic efficiency in favour of other concerns like developer productivity, or possibly through the introduction of new layers of abstraction like a virtual machine or other scripting engine for the purposes of convenience when developer constraints...
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Monday, 29-May-2023 06:46:16 JST Fediverse Contractor
  in reply to
  - MMS21 :blobcatkirby:
  Bloat is a frontend, it’s ugly af but there are some good things about it.
  
  In conversation Monday, 29-May-2023 06:46:16 JST permalink
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Monday, 29-May-2023 06:57:25 JST Fediverse Contractor
  in reply to
  - MMS21 :blobcatkirby:
  It literally just looks like a website with zero styling. That’s an instance tho so you can try it there if you want, just get rid of the git part.
  
  In conversation Monday, 29-May-2023 06:57:25 JST permalink
- Embed this notice
  MMS21 :blobcatkirby: (mms21@seal.cafe)'s status on Monday, 29-May-2023 06:57:26 JST MMS21 :blobcatkirby:
  in reply to
  - Fediverse Contractor
  @bot @alex @mint huh I didn't know a frontend named bloat existed, is this it? https://git.freesoftwareextremist.com/bloat/about/
  
  I can't find any screenshots :-(
  In conversation Monday, 29-May-2023 06:57:26 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: git.freesoftwareextremist.com
    
    bloat - A web client for Mastadon Network
- Embed this notice
  Eris (eris@gleasonator.com)'s status on Monday, 29-May-2023 07:11:05 JST Eris
  in reply to
  - Fediverse Contractor
  - Mona
  @mona @bot @alex If your solution involves people not being as retarded as possible, it’s not a solution.
  
  I would still turn them off if I were admin.
  
  In conversation Monday, 29-May-2023 07:11:05 JST permalink
  
  Fediverse Contractor likes this.
- Embed this notice
  Eris (eris@gleasonator.com)'s status on Monday, 29-May-2023 07:11:06 JST Eris
  in reply to
  - Fediverse Contractor
  - Mona
  @bot @mona @alex There’s an MRF to disable DM’s. Anyone can do it.
  
  In conversation Monday, 29-May-2023 07:11:06 JST permalink
- Embed this notice
  Mona (mona@frennet.xyz)'s status on Monday, 29-May-2023 07:11:06 JST Mona
  in reply to
  - Fediverse Contractor
  - Eris
  @eris@gleasonator.com @bot@seal.cafe @alex@gleasonator.com you don't need to disable DMs you just need users who should know a plain text DM feature means you shouldn't send naked photos
  
  In conversation Monday, 29-May-2023 07:11:06 JST permalink
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Monday, 29-May-2023 07:19:02 JST Fediverse Contractor
  in reply to
  I think it’s cool that you can animate with it and stuff, but why tf can you use an image to steal tokens lol, that’s so crazy.
  
  In conversation Monday, 29-May-2023 07:19:02 JST permalink
- Embed this notice
  :blank: (i@declin.eu)'s status on Monday, 29-May-2023 07:19:03 JST :blank:
  in reply to
  @MMS21 @icst @alex @mint @bot and totally off topic, javascript in SVG is a retardation of W3C, because you can have SVG in HTML5, they though it would be good to have HTML5 in SVG, which includes javascript
  
  normal uses would include animations and user interaction, including real time info in a vector graphic for funsies
  
  but the internet is not for funsies, it's srs bsnz!!!
  In conversation Monday, 29-May-2023 07:19:03 JST permalink
  Attachments
  1. Untitled attachment
    https://declin.eu/media/626781b8313ba49b5e6497d0eb964f35b50371628f0c1dc7836fe2f43def9578.png
- Embed this notice
  MMS21 :blobcatkirby: (mms21@seal.cafe)'s status on Monday, 29-May-2023 07:19:04 JST MMS21 :blobcatkirby:
  in reply to
  @bot @alex @i @icst @mint explanation seems p in depth https://www.phind.com/search?cache=e8759568-9829-49d8-98d4-12190f536a7d
  In conversation Monday, 29-May-2023 07:19:04 JST permalink
  Attachments
  1. Untitled attachment
- Embed this notice
  marlin (marlin@poa.st)'s status on Monday, 29-May-2023 20:49:06 JST marlin
  in reply to
  
  @alex The best analogy for multi-layered review process I've heard of is that of Swiss cheese, every layer has holes, but you hope all layers' holes don't align.
  
  In conversation Monday, 29-May-2023 20:49:06 JST permalink
  
  Alex Gleason likes this.

Public

Conversation

Notices

Feeds