Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://digitalcourage.social/users/f09fa681/statuses/113877806211998547">Lenny (f09fa681@digitalcourage.social)'s status on Thursday, 23-Jan-2025 23:43:31 JST</a><a href="https://digitalcourage.social/@f09fa681" title="f09fa681@digitalcourage.social"><img src="https://gnusocial.jp/avatar/156256-48-20230801110043.webp" width="48" height="48" alt="Lenny" style="position: absolute; left: 0; top: 0;">Lenny</a><div><a href="https://digitalcourage.social/@f09fa681/113877501183587221" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://mstdn.social/@rysiek">@rysiek</a> You all remember the WebRTC "IP leak" fiasco from back then, right? Where people could be called on some messengers and before even accepting the call, your own IP would leak to the caller? (And also Natalie Silvanovich showed everyone why it's a bad idea to start the WebRTC state machine prior to accepting a call to everyone because it's a huge attack surface - <a href="https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messengers-part-1.html" rel="nofollow noreferrer">https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messengers-part-1.html</a>) Pretty much everyone jumped ship back then and agreed it to be a big no no.</p><p>This attack here is pretty much the same thing without the need to even make a call. It is way more subtle and therefore even more severe IMO.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4420667#notice-8672438">In conversation</a><time datetime="2025-01-23T23:43:31+09:00" title="Thursday, 23-Jan-2025 23:43:31 JST">about a year ago</time> <span>from <span><a href="https://digitalcourage.social/@f09fa681/113877806211998547" rel="external" title="Sent from digitalcourage.social via ActivityPub">digitalcourage.social</a></span></span><a href="https://digitalcourage.social/@f09fa681/113877806211998547">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messengers-part-1.html">Exploiting Android Messengers with WebRTC: Part 1</a></h5><div></div></header><div>Posted by Natalie Silvanovich, Project Zero    This is a three-part series on exploiting messenger applications using vulnerabilities in We...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Lenny (f09fa681@digitalcourage.social)'s status on Thursday, 23-Jan-2025 23:43:31 JSTLenny
in reply to
- Michał "rysiek" Woźniak · 🇺🇦
@rysiek You all remember the WebRTC "IP leak" fiasco from back then, right? Where people could be called on some messengers and before even accepting the call, your own IP would leak to the caller? (And also Natalie Silvanovich showed everyone why it's a bad idea to start the WebRTC state machine prior to accepting a call to everyone because it's a huge attack surface - https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messengers-part-1.html) Pretty much everyone jumped ship back then and agreed it to be a big no no.
This attack here is pretty much the same thing without the need to even make a call. It is way more subtle and therefore even more severe IMO.
In conversationabout a year ago from digitalcourage.socialpermalink
Attachments
1. No result found on File_thumbnail lookup.
  Exploiting Android Messengers with WebRTC: Part 1
  Posted by Natalie Silvanovich, Project Zero This is a three-part series on exploiting messenger applications using vulnerabilities in We...

Public

Embed Notice

HTML Code

Corresponding Notice