HackerTrans
TopNewTrendsCommentsPastAskShowJobs

iancarroll

3,377 karmajoined 13 lat temu
ian[@]ian[.]sh, seats.aero

Submissions

Backstage access: an unauthenticated SQL injection in Front Gate Tickets

ian.sh
3 points·by iancarroll·10 dni temu·0 comments

comments

iancarroll
·6 dni temu·discuss
In Shenzhen, they told me that I can take the full test on any visa if my permitted length of stay is 90 days or more. Supposedly the US embassies now issue 90 day visas for Americans, so I am hoping to try that route soon as I have already been through two temporary licenses...
iancarroll
·6 dni temu·discuss
Surprised to see this here but happy to answer any questions! Driving across China and getting to use the latest EVs has been quite fun and I hope to do it even more in the future.
iancarroll
·19 dni temu·discuss
Most apps (on desktop or mobile) open third party auth flows inside the user's default browser, which makes this a non-issue. For one, if you embed the Google login flow into your app then I can't reuse my existing session in my browser. But it also exposes my full credentials to your app for no reason, which is a good thing to avoid.
iancarroll
·20 dni temu·discuss
Apps installed via the MAS have sandboxing applied to them, so this isn't really true.
iancarroll
·21 dni temu·discuss
The latest FSD does not attempt to check if your hands are on the wheel at all.
iancarroll
·21 dni temu·discuss
My Cloudflare enterprise order form has costs for overages for Workers and the following language about everything else:

> If Customer exceeds any of the Total Quantity for the Services below, Cloudflare will invoice Customer in arrears at a rate that corresponds to the rate set forth in the table after this one labeled “Excess Usage Pricing.” If no such Excess Usage Pricing table has been added by the Parties to this order form or if such table does not include the Service(s) for which Customer has exceeded the Total Quantity, then the Parties will negotiate in good faith an increase in the Fees for such Service(s). Should the Parties fail to reach an agreement on an increase within thirty (30) days of Customer’s receipt of notice from Cloudflare that Customer has exceeded its usage cap for the Service(s), Cloudflare will have the right to immediately terminate such Service for its convenience, and without liability to Customer or any third party.
iancarroll
·24 dni temu·discuss
Your whole account is undisclosed marketing for this service. Fingerprinting in this manner is highly unlikely to be viable - there are too many middleboxes at the TCP layer to try and fingerprint on it.
iancarroll
·w zeszłym miesiącu·discuss
0.5% is a pretty incredibly low interchange rate in any case. But if you are saying that half of it is going to scheme fees, I doubt it is funding rewards programs for consumers.
iancarroll
·w zeszłym miesiącu·discuss
Well, OpenAI already sold it (but kept the team), so it’s in someone else’s hands now.
iancarroll
·3 miesiące temu·discuss
I know plenty of security researchers who exclusively use Claude Code and other tools for blackbox testing against sites they don’t have the source code for. It seems like shutting down the entire product is the only safe decision here!
iancarroll
·3 miesiące temu·discuss
It’s pretty interesting to me that Cloudflare is collecting additional client-side data for individual customers. This is not widely done by most anti-bot solutions.
iancarroll
·3 miesiące temu·discuss
A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.

I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
iancarroll
·5 miesięcy temu·discuss
Verizon did manage to convince the FCC that this was enough a problem to change their settlement agreement[0] requiring more frequent unlocks. If you believe their numbers, they lost 700,000 phones to fraud in 2023, although a lot of those were probably any unlocked phone that defaulted on its payments.

[0] https://www.reuters.com/business/media-telecom/fcc-revises-v...
iancarroll
·6 miesięcy temu·discuss
That is a very old article that seems to be outdated now.
iancarroll
·6 miesięcy temu·discuss
Although I don’t like Flock, I’m a bit skeptical of the claims in the article. Most screenshots appear to be client-side JavaScript snippets, not API responses from this key.

In the bug bounty community, Google Maps API key leaks are a common false positive, because they are only used for billing purposes and don’t actually control access to any data. The article doesn’t really prove ArcGIS is any different.
iancarroll
·6 miesięcy temu·discuss
Chase issues cards on both the Visa and Mastercard network (i.e. certain cobrands and the Freedom Flex), so I doubt this was a serious consideration.
iancarroll
·7 miesięcy temu·discuss
The GFW is certainly looking for traffic to block, but it is not really going to invade much privacy, as it cannot decrypt anything using HTTPS/TLS.
iancarroll
·7 miesięcy temu·discuss
I don't think there is any reason to assume they would allow forced code execution just because they allow data residency for mainland accounts. And unfortunately, China is likely a much larger and more profitable consumer market than India - presumably they can still export phones produced inside India without this.
iancarroll
·7 miesięcy temu·discuss
Even in mainland China, where iOS does have a large amount of changes to comply with local regulations, Apple does not pre-install any apps from anyone.
iancarroll
·8 miesięcy temu·discuss
It’s great that you have coverage across multiple countries. I’ve noticed most budget apps cannot handle multiple currencies at all, much less automated sync across multiple countries.