- rvnxYes, I agree, it’s a cool discovery though
- It is not as cool as the RPC exploit of React/Next.js where you could call any function on the server-side including “vm.sysexec” or whatever it was, but still not to be fully ignored
- detected: WAF caught or detected the attack and raised an alert, post-exploitation
discovered: they audited or pentested themself and found out, preemptively
I just mean that Coinbase didn’t see anything happening and didn’t take action though the boy successfully exploited the vulnerability on their live system.
- I understand your perspective about the technical value of an exploit, but I disagree with the concept that technical value = market value.
There are unorganized buyers who may be interested if they see potential to weaponize it.
In reality, if you want to maximize revenue, yes, you need to organize your own heist (if that's what you meant)
- You can also just be logged-in on Discord web, so everything is accessible too
- Well, llmslave2 is right. If discord.com executes javascript to conduct user actions, and you can execute javascript on discord.com, you are acting on the account as if you were discord.com
- Seems like none of these major websites detected anything, and they are supposed to be top-notch in the world.
It's only because the researcher contacted them.
- True, I just considered that once you handle a PDF with so much care like if it was poisoned, it's perhaps better to send this poison to someone else to handle.
- For Coinbase docs, this is a disaster particularly
- There is a market outside Zerodium, it's Telegram. Finding a buyer takes time and trust, but it has definitively higher value than 4k USD because of its real-world impact, no matter if it is technically lower on the CVSS scores.
- Do you want to execute actions as logged-in user on high-value website XXX ?
If yes -> very useful
- Finally! Free material to ingest in our LLMs (while it violates copyright, it's good for the humanity as the reasoning of LLMs can lead to new discoveries and more widespread knowledge).
- I would not be that confident as you can see: on their first example, they show Discord and the XSS code is directly executed on Discord.com under the logged-in account (some people actually use web version of Discord to chat, or sign-in on the website for whatever reason).
If you have a high-value target, it is a great opportunity to use such exploits, even for single shots (it would likely not be detected anyway since it's a drop in the ocean of requests).
Spreading it on the whole internet is not a good strategy, but for 4000 USD, being able to target few users is a great value.
Besides XSS, phishing has its own opportunity.
Example: Coinbase is affected too though on the docs subdomain and there are 2-step, so you cannot do transactions directly but if you just replace the content with a "Sign-in to Coinbase / Follow this documentation procedure / Download update", this can get very very profitable.
Someone would pay 4000 USD to receive 500'000 USD back in stolen bitcoins).
Still, purely with executing things under the user sessions there are interesting things to do.
- Use the PDF to JPG online services, convenient and you still get your result without having to deal with any sandbox
- Why would that be the maximum damage ? This XSS is particularly dangerous because you are running your script on the same domain where the user is logged-in so you can pretty much do anything you want under his session.
In addition this is widespread. It's golden for any attacker.
- You don't even have to go that far, in Europe, to use a large social network (50M users), and the definition is very broad (WhatsApp is a social network, Telegram, Signal, TEMU, Aliexpress, etc), all users will have to provide their ID to that they are not a minor, otherwise the website can be blocked or fined.
This is to protect minors of course. Did you think about the children ?
Telegram, whether it's true or not, claims they are not a large platform (so if this is a lie, it may really pay off).
https://sumsub.com/blog/age-verification-on-social-media/
"WhatsApp is now a Very Large platform in the EU, and will face tougher regulation"
https://www.theverge.com/news/614445/whatsapp-channels-very-...
- Not many people know about it but the world is an illusion, it is believed to be based on PS1 triangles so you have to count the edges thrice. Prove me wrong.
- Ah, perfect! One question: is Ticketmaster rejecting non-"Big email providers" ? I suspect they do, due to bots (wouldn't it be the same with Tinder, etc ?)
- I agree with you, and I think your reasoning is totally understandable. Just that I see additional friction, and friction in a business world is risk :/
(side-note, with Jitsi, it feels like I have a fireplace log in the hands when I use it)
I think Samsung rejected non-"Big Emails", but pretty sure we can find exceptions both ways.
Fun stuff I found while searching: > https://transportation.ucsc.edu/buses-shuttles/dvs/ > > The Disability Van Service (DVS) is a shared-ride service that provides on-campus wheelchair ramp–equipped transportation for those unable to use the regular Campus Transit system due to disability > > If you are a visitor, please use a Gmail address to complete the form or email dvs@ucsc.edu if that is not possible
and then, the form is behind... a Google login wall