Conversation

Notices

1. Embed this notice
   abadidea (0xabad1dea@infosec.exchange)'s status on Tuesday, 13-May-2025 19:09:24 JST abadidea

   Incredible: if you voice-dictate a message about adult chuck-e-cheese alternative Dave & Busters into iMessage, it gets flagged as a potential hacking attempt by the other iMessage client and never arrives. Because the voice-to-text detects it as a known phrase with a special typography (with the "&", not "and"), but the substitution is happening at the wrong layer and so it gets encoded as a raw '&' in the message HTML rather than an '&'. The other end correctly detects malformed HTML and panics.

   Presumably, you could also run into this problem with other brands such as Simon & Schuster.

   https://rambo.codes/posts/2025-05-12-cracking-the-dave-and-busters-anomaly

   • Haelwenn /элвэн/ :triskell: likes this.
   • Rich Felker repeated this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 13-May-2025 20:41:02 JST Rich Felker

     in reply to

     @0xabad1dea This is such amateur hour shit that wouldn't even be possible without things being deeply wrong at multiple layers...

   • Embed this notice
     Andrew Zonenberg (azonenberg@ioc.exchange)'s status on Tuesday, 13-May-2025 20:41:55 JST Andrew Zonenberg

     in reply to

     @0xabad1dea I used an XML-esque passphrase (something along the lines of <FooBarBaz/>) on PlentyOfFish circa 2013 because they demanded special characters even for absurdly long passphrases.

     It worked fine.

     Until my now-wife and I got serious enough I decided to delete my account. I had to type my password on the "delete account" page and for whatever reason on that page only (but not the login form or the creation page), it tripped the WAF and blocked the deletion.

     I ended up experimenting a bit and discovered that I could still *change* my password and as soon as I had a password without angle brackets in it, I was able to delete the account.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     tom jennings (tomjennings@tldr.nettime.org)'s status on Wednesday, 14-May-2025 08:36:22 JST tom jennings

     in reply to

     • jack

     @jackeric @0xabad1dea

     Panicking on malformed payload is very last century.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     jack (jackeric@beige.party)'s status on Wednesday, 14-May-2025 08:36:23 JST jack

     in reply to

     @0xabad1dea Input validation is so last century

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 14-May-2025 08:38:29 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • tom jennings
     • jack
     @tomjennings @jackeric @0xabad1dea I so wish I would actually be a previous millennium thing.