Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/ryanc/statuses/111855503273600020">Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 18:25:34 JST</a><a href="https://infosec.exchange/@ryanc" title="ryanc@infosec.exchange"><img src="https://gnusocial.jp/avatar/174285-48-20231204225121.webp" width="48" height="48" alt="Ryan Castellucci :nonbinary_flag:" style="position: absolute; left: 0; top: 0;">Ryan Castellucci :nonbinary_flag:</a><div><ul><li></ul></div></section><article><p>It's been ten years, so a short story about the "gotofail" bug.</p><p>Someone came to me about a catastrophic vulnerability in Apple's TLS implementation.</p><p>I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.</p><p>They didn't know exactly what it was, just some vague details and the key point is that it allowed use of the real certificate.</p><p>This was enough for me to find the bug (yay open source), which would go on to be known as "gotofail", and produce a working exploit in less than a day.</p><p>The details were anonymously back channelled to Apple, who released a fix.</p><p><a href="https://ioc.exchange/@matthew_d_green" rel="nofollow noreferrer">@matthew_d_green</a> posted on Twitter about it, concerned by the Apple's vague release notes.</p><p>I used a burner phone to share the details with him anonymously.</p><p>Then everyone forgot about the whole thing because heartbleed.</p><p>¯_(ツ)_/¯</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2663013#notice-5277207">In conversation</a><time datetime="2024-02-01T18:25:34+09:00" title="Thursday, 01-Feb-2024 18:25:34 JST">about a year ago</time> <span>from <span><a href="https://infosec.exchange/@ryanc/111855503273600020" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@ryanc/111855503273600020">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 18:25:34 JSTRyan Castellucci :nonbinary_flag:
- Matthew Green
It's been ten years, so a short story about the "gotofail" bug.
Someone came to me about a catastrophic vulnerability in Apple's TLS implementation.
I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.
They didn't know exactly what it was, just some vague details and the key point is that it allowed use of the real certificate.
This was enough for me to find the bug (yay open source), which would go on to be known as "gotofail", and produce a working exploit in less than a day.
The details were anonymously back channelled to Apple, who released a fix.
@matthew_d_green posted on Twitter about it, concerned by the Apple's vague release notes.
I used a burner phone to share the details with him anonymously.
Then everyone forgot about the whole thing because heartbleed.
¯_(ツ)_/¯
In conversationabout a year ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice