@zero @spiral @KayFaraday @p @netdoll @MischievousTomato

> one small difference, his posts with "direct messages". everything else is exactly the same, he doesn't care about it being exploitable because he can't even fix his own code

i'll admit i haven't really dug into the code here but from my current understanding of the blockbots and what pete is doing, this doesn't sound exploitable in the same way because it's a single message sent to a single instance (or maybe it doesn't leave the instance if it's just for FSE users?)

but i'll say that i'd be interested in hearing if this is still exploitable! and a good way to make pete care would be to give him a taste of his own medicine and use it to fuck up FSE and give him a problem he needs to go fix immediately :)

> one small difference

this is my fav bug ive seen in a ctf: https://bugs.chromium.org/p/project-zero/issues/detail?id=1710

the v8 javascript engine's jit had a bug where a range of numbers didn't include a "-0" when it should've included one. who even knows what a -0 is? who cares?

not including a -0, it turns out, let people write javascript that could execute arbitrary assembly for anyone visiting the page: https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/

small differences - if they are the exact right small difference - can matter a lot