Comment by ARandomerDude

Comment by ARandomerDude a year ago

4 replies

View on Hacker News

I'm amazed by how profoundly stupid this vulnerability is. To get arbitrary code execution, you literally just send somebody else's user ID, which is fairly trivial to obtain.

I don't work at FAANG. I just work at some company that makes crap products you don't actually need, and even I would never build this kind of bug.

But these people want to build a web browser, with all the security expertise and moral duty that implies?! Wow.

bilater a year ago

Can you explain how you could get someone else's user id? I get that this is still a big vulnerability but am trying to understand how that would happen.

Reply View 2 replies
  • darthwalsh a year ago

    It says in the article. If you share one of your snippets, or make/accept a friend request, that all uses the same id

    Reply View 1 reply