MissConstrue14h ago

https://blog.thereallo.dev/blog/decompiling-the-white-house-app

Wowy wow wow wow! I’m sure none of y’all planned on downloading the malware from the Mango, but just in case, DO NOT. It will:

Inject JavaScript into every website you open

Has a full GPS tracking pipeline always on.

Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds.

Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.

Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.

Has no certificate pinning.

Ships with dev artifacts in production.

Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation

#infosec #whitehouse #malware #StupidestTimeline

I Decompiled the White House's New App

The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.

Thereallo
Show threadmedio pocillo ☕14h ago
@MissConstrue
Even if I don't some of my cousins might. What happens if I'm in their contacts?
#infosec #malware #StupidestTimeline
Show threadNazo

@mediopocillo @MissConstrue That's the fun thing about this stuff. With access to contacts, anything and everything they've saved in that contact is shared with whoever they grant access to and there is absolutely nothing said contact can do about it. (Isn't it *GREAT*??)

It's down to how much they actually put in there what is gotten, so make sure they don't have anything like your social media profiles or etc saved in there because that's all you can do from your end is ask those people.

11:42pmWeb
Show threadMissConstrue12h ago
@nazokiyoubinbou @mediopocillo I hadn't even thought about contact contamination until y'all mentioned it.
Show threadNazo12h ago
@MissConstrue @mediopocillo These days, sadly, it's a given.