Unrelated; I just wanted to say that I learned programming from your socket tutorials when I was a kid. Everything was so well written that I used it from highschool, to varsity to my day2day job.
Without your tutorials I’m not even sure if I would have chosen the carreer I did- thank you for all the love and effort you put into your posts; Im sure that there are many other people who you’ve touched in a similar way
At some point someone needs to take responsibility for allowing modification of environment variables via something dumb like http. Debugging interfaces are fine- we should expect more from developers.
Yeah I agree- I think the time spent verifying should vary based on the complexity and sensitivity of what you are looking at, but you never really get away from it.
I think my issue with LLMs is moreso aimed at people who wouldn’t have ever done the bare minimum verification anyway.
My main gripe is that if someone finds a vulnerability that gives you a list of urls the model falls apart. I’ve seen this happen in organisations :/
But agree with your statement here and others about the lifetime of the data - if something is sensitive or secret you want proper access controls applied, not just openssl rand -hex 8
frida is an amazing tool - it has empowered me to do things that would have otherwise took weeks or even months. This video is a little old, but the creator is also cracked https://www.youtube.com/watch?v=CLpW1tZCblo
It's supposed to be "free-IDA" and the work put in by the developers and maintainers is truly phenomenal.
EDIT: This isn't really an attack imo. If you are going to take "secrets" and shove it into a mobile app, they can't really be considered secret. I suppose it's a tradeoff - if you want to do this kind of thing client-side - the secret sauce isn't so secret.
I work in the security space and fell victim to an internal campaign as they sent a very enticing looking email at a point where I was on leave and my grandfather just passed.
You simply cannot know what mindset youll be in when you get phished :)
Edit: To clarify i was itching to work because it helps distract me from the reality that someone so dear to me was gone forever. I didnt want to cancel leave though because my output would have been absolutely turdy
Fair enough on the device compromise point, that said the implementation is still terrible and illustrates what I would be worried about-
Maybe more succinctly put, how a credential is initially enrolled, managed and finally removed is an implementation detail which leaves room for funky implementations like the above.
I do agree that it is an improvement over passwords though. Furthermore I guess the same applies to password based logins where everybody just kind of wings it anyway.
Ive also seen some pretty terrible implementations that don’t even allow end users to manage enrolled devices; so if someone steals your authenticator they have access to your account indefinitely.
Personally I like the benefits passkeys offer but some work still needs to be done around management of enrolled devices
Don’t necessarily agree that selling hacks is ethical, but if I already spent time figuring out how to exploit a system - reporting it to the relevant place is charity. Ill do that, but Im definitely not spending time trying to fix the code if the solution isn’t immediately obvious. ++ so if you have to fight to get the bug recognised in the first place
A vpn (that you trust) would certainly help a little, but in the above case the connection can still be mitmed from the vpn server to the application backend
Edit: I would for my personal devices, unless I knew the app did something horrendous in advance- but I guess the core problem is you really have no way of knowing unless you check the app yourself or there is a known and reported vulnerability.
Each extra bit of software is an additional attack surface after all