daniel:// stenberg://

From report to disclosed in 20 minutes

https://hackerone.com/reports/3419617

curl disclosed on HackerOne: Hash exposed in public repository

An image hash is publicly exposed on Github Steps to reproduce: See at >> https://github.com/curl/curl/blob/master/Dockerfile Solution: # If you want to keep the hash, the repository should be private #Use official tags without specific hashes or environment variables Best, @skymander ## Impact An attacker can use this hash to: * View known vulnerabilities * View your deployment...

HackerOne
Nov 11 at 4:15pmWeb
Show threadEric SchultzNov 11
@bagder you have so much more patience than I would.
Show threadCarlos Mogas da SilvaNov 11
@bagder the amount of "non-intelligence" is frightening... I can't imagine your days πŸ˜…
Show threadPeter BindelsNov 11
@bagder that one is hilarious. How to show that you've only ever looked at cryptocurrencies...
Show threadAndreas ScherbaumNov 11
@bagder That one is ...
Show threadOOTSNov 11
@bagder
I think people just started playing pranks on you...
Show threadLars Marowsky-Brée 😷Nov 11
@bagder "Any hash value is a security vulnerability" is an interesting take.
Show threadAvocado DiaboliNov 11

@larsmb @bagder

Maybe these people consider it a vulnerability when they know the programming language used for a software because they could do research about vulnerabilities for programs written in these languages?

Show threadsynlogic4242Nov 11
@larsmb yeah I'd love to see that genius shift his focus to the cryptocurrency field. lol
Show threadKiskaeNov 11
@bagder the proposed solution literally makes it less secure πŸ€¦β€β™‚οΈ
Show threadYannis GNov 11
@bagder its not a hash of a curl image πŸ€¦β€β™‚οΈ he should report this to Debian πŸ˜‚πŸ˜‚ /s
Show threadFernando F. ManceraNov 11
@bagder This is an AI generated report I am pretty sure about it. The LLM probably confused the container image hash with a token
Show threadGuillaume RossoliniNov 11

@ffmancera humans are capable (of this mistake) as well

At least this one was short

Show threadi eat beees Nov 11
@ffmancera @bagder automated security scanners always complain about this since they're just looking for high-entropy strings. i could definitely see this arising from automated scan reports being fed uncritically to an LLM
Show threadsynlogic4242Nov 11
@bagder jesus. I have a lot of respect for you for putting up with that crap for so long. does appear to be happening more often lately. between script kiddies and LLM bots
Show thread♾️ WaterNov 11
@bagder Here is my hash. Please don't hack me. 7ac4f87bc7da9d874c5d62b3226371fe9b958ad21efa41115db341f33a07344f
Show threadJeremy JongepierNov 11
@bagder wow, this means every coffee shop in The Netherlands is vulnerable. They literally sell hash there.