Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://chaos.social/users/pluto/statuses/112699560901670978">Pluto (pluto@chaos.social)'s status on Monday, 01-Jul-2024 16:33:03 JST</a><a href="https://chaos.social/@pluto" title="pluto@chaos.social"><img src="https://gnusocial.jp/avatar/182420-48-20231008182551.webp" width="48" height="48" alt="Pluto" style="position: absolute; left: 0; top: 0;">Pluto</a></section><article><p>In 2022, I discovered that this is how the Rocket.Chat Desktop apps handle invalid <a href="https://chaos.social/tags/TLS" rel="tag">#TLS</a> certificates. Pressing Enter sets the certificate as trusted, clicking "No" may present you with more and more prompts during which you cannot close the app.</p><p>Please don't press Enter in Rocket.Chat Desktop <a href="https://chaos.social/tags/zeroday" rel="tag">#zeroday</a><br>please boost!<br>Here's my responsible disclosure story (bear with me, I'm not a security researcher) 🧵</p><p><a href="https://chaos.social/tags/infosec" rel="tag">#infosec</a> <a href="https://chaos.social/tags/opensource" rel="tag">#opensource</a> <a href="https://chaos.social/tags/security" rel="tag">#security</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3314940#notice-6531398">In conversation</a><time datetime="2024-07-01T16:33:03+09:00" title="Monday, 01-Jul-2024 16:33:03 JST">about 5 months ago</time> <span>from <span><a href="https://chaos.social/@pluto/112699560901670978" rel="external" title="Sent from chaos.social via ActivityPub">chaos.social</a></span></span><a href="https://chaos.social/@pluto/112699560901670978">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/2852195">A screenshot of the Rocket.Chat Windows app littered with dialogs each saying: "Do you trust certificate from 'your boss'?", the default answer is "Yes".</a></label><br><a href="https://assets.chaos.social/media_attachments/files/112/699/769/299/206/898/original/fb720cdad84e8224.png" rel="external">https://assets.chaos.social/media_attachments/files/112/699/769/299/206/898/original/fb720cdad84e8224.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Pluto (pluto@chaos.social)'s status on Monday, 01-Jul-2024 16:33:03 JST Pluto
In 2022, I discovered that this is how the Rocket.Chat Desktop apps handle invalid #TLS certificates. Pressing Enter sets the certificate as trusted, clicking "No" may present you with more and more prompts during which you cannot close the app.
Please don't press Enter in Rocket.Chat Desktop #zeroday
please boost!
Here's my responsible disclosure story (bear with me, I'm not a security researcher) 🧵
#infosec #opensource #security
In conversationabout 5 months ago from chaos.socialpermalink
Attachments
1. A screenshot of the Rocket.Chat Windows app littered with dialogs each saying: "Do you trust certificate from 'your boss'?", the default answer is "Yes".
  https://assets.chaos.social/media_attachments/files/112/699/769/299/206/898/original/fb720cdad84e8224.png

Public

Embed Notice

HTML Code

Corresponding Notice