Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/optimant/statuses/112922200654711834">Alex Savage (optimant@hachyderm.io)'s status on Thursday, 08-Aug-2024 03:43:47 JST</a><a href="https://hachyderm.io/@optimant" title="optimant@hachyderm.io"><img src="https://gnusocial.jp/avatar/144757-48-20240807184347.webp" width="48" height="48" alt="Alex Savage" style="position: absolute; left: 0; top: 0;">Alex Savage</a><div><a href="https://infosec.exchange/@dangoodin/112922162616577153" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/174285" title="ryanc@infosec.exchange">Ryan Castellucci :nonbinary_flag:</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@dangoodin">@dangoodin</a> <a href="https://infosec.exchange/@ryanc">@ryanc</a> I mean, it's a constraint for sure (e.g. the POST will be forms-encoded instead of, say, JSON like a green developer writing a service today might write code to expect) but risk will depend on the specific target. A soft target might even be susceptible to GET alone.</p><p>Car analogy: We discovered that leaving keys inside the car, even out of sight, is vulnerable because thieves can still use coat hangers to pop the locks. Non ignition-key mitigations like The Club are unaffected.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3489579#notice-6856827">In conversation</a><time datetime="2024-08-08T03:43:47+09:00" title="Thursday, 08-Aug-2024 03:43:47 JST">about 4 months ago</time> <span>from <span><a href="https://gnusocial.jp/notice/6856827" rel="external" title="Sent from gnusocial.jp via ActivityPub">gnusocial.jp</a></span></span><a href="https://gnusocial.jp/notice/6856827">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Alex Savage (optimant@hachyderm.io)'s status on Thursday, 08-Aug-2024 03:43:47 JSTAlex Savage
in reply to
- Dan Goodin
- Ryan Castellucci :nonbinary_flag:
@dangoodin @ryanc I mean, it's a constraint for sure (e.g. the POST will be forms-encoded instead of, say, JSON like a green developer writing a service today might write code to expect) but risk will depend on the specific target. A soft target might even be susceptible to GET alone.
Car analogy: We discovered that leaving keys inside the car, even out of sight, is vulnerable because thieves can still use coat hangers to pop the locks. Non ignition-key mitigations like The Club are unaffected.
In conversationabout 4 months ago from gnusocial.jppermalink

Public

Embed Notice

HTML Code

Corresponding Notice