Comment by shuckles

Comment by shuckles a year ago

5 replies

View on Hacker News

"We will let anyone run arbitrary JavaScript on all your web pages if you send them a referral link" is surely a 6-7 figure vulnerability for a web browser. That this vulnerability was discoverable using about two steps of analysis tools suggests many more issues are in the product.

rafram a year ago

Not just that - seems like it allowed running privileged JavaScript (full access to your system) on the preferences page as well.

Reply View 4 replies
  • voiceblue a year ago

    It is very strange to me that their attitude is "no one was impacted" and this is "hypothetical". Any serious company would immediately consider this to be a case where everyone was impacted! This is like coming home to the worst neighborhood on the planet to find your door wide open, and immediately putting on a blindfold so you can continue to pretend nothing's changed.

    Reply View 3 replies
    • DecoySalamander a year ago

      Since everything is stored in their DB, they supposedly can audit logs and sources for boosts themselves to confirm if anyone was actually impacted.

      Reply View 2 replies
      • voiceblue a year ago

        Can you explain? How are they able to check whether someone did a quick “in and out” keylogger or cookie extraction? I doubt they can, because I doubt they store every request (that would go against what they claim for privacy) and I also doubt their DB backup happens on such a high frequency that they could catch this (e.g. minute-to-minute).

        So…how? Are you claiming they have oodles of logs and a perfect dork* to find suspicious JavaScript? If they had the latter wouldn’t they already be using it for security?

        If you have some method that works do tell.

        * https://www.alibabacloud.com/blog/what-is-dork_600025

        Reply View 1 reply
        • Cpoll a year ago

          I don't think you're using "dorking" correctly here, since web crawlers aren't anywhere in the picture. Server log queries aren't "dorks." Besides, if you can reproduce the issue and _if_ it's somehow logged in the database, it's usually not too hard to figure out how to query for other occurrences.

          With that said, I think you're probably right. I doubt Firebase audit logs contain update contents, and based on the bug report, your "in and out" proposal is as simple as:

          firebase.collection("boosts").where("creatorID", "==", "attackers_user_id").update({"creatorId": "victims_user_id" });

          sleep(time);

          firebase.collection("boosts").where("creatorID", "==", "victims_user_id").update({"creatorId": "attackers_user_id" });

          (okay, not exactly, because this would also set the ownership of the victim's legitimate Boosts, but the actual code isn't much more difficult).

          Reply View 0 replies