Talia Vayas7h ago
MissConstrue

https://blog.thereallo.dev/blog/decompiling-the-white-house-app

Wowy wow wow wow! I’m sure none of y’all planned on downloading the malware from the Mango, but just in case, DO NOT. It will:

Inject JavaScript into every website you open

Has a full GPS tracking pipeline always on.

Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds.

Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.

Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.

Has no certificate pinning.

Ships with dev artifacts in production.

Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation

#infosec #whitehouse #malware #StupidestTimeline

I Decompiled the White House's New App

The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.

Thereallo
10:31pmWeb
Show threadmedio pocillo ☕9h ago
@MissConstrue
Even if I don't some of my cousins might. What happens if I'm in their contacts?
#infosec #malware #StupidestTimeline
Show threadNazo9h ago

@mediopocillo @MissConstrue That's the fun thing about this stuff. With access to contacts, anything and everything they've saved in that contact is shared with whoever they grant access to and there is absolutely nothing said contact can do about it. (Isn't it *GREAT*??)

It's down to how much they actually put in there what is gotten, so make sure they don't have anything like your social media profiles or etc saved in there because that's all you can do from your end is ask those people.

Show threadMissConstrue8h ago
@nazokiyoubinbou @mediopocillo I hadn't even thought about contact contamination until y'all mentioned it.
Show threadNazo8h ago
@MissConstrue @mediopocillo These days, sadly, it's a given.
Show threadMissConstrue8h ago
@mediopocillo Unknown at current, I believe.
Show threadNazo9h ago

@MissConstrue It sounds like people should report the app then.

Imagine how much the orange one would explode if the app were pulled from the store for being in violation of basic rules (and, uh, laws by the look of it... Despite what the article says, I'm pretty sure some of it is surely illegal.)

Just *imagine* what it would do to his puny ego...

Show threadGeorge B6h ago

@nazokiyoubinbou @MissConstrue

Should definitely be reported but I wouldn't hold my breath on any company that made a donation to the ballroom doing anything other than metaphorically lick his taint.

Show threadNazo6h ago
@gbargoud @MissConstrue Same, but wouldn't it be amazing if they actually did uphold the standards they enforce on other devs just this once?
Show threadGeorge B6h ago

@nazokiyoubinbou @MissConstrue

It would be, especially if they also take down Mecha Hitler's Child Porn O Matic while they're consistently enforcing their rules.

Show threadNazo6h ago

@gbargoud @MissConstrue Hopes and wishes aren't illegal after all.

At least not yet...

Show threadAnalog AI5h ago
@MissConstrue
it doesn't even considered installing on GraphineOS, saying my phone is incompatible
Show threadMissConstrue2h ago
@Retreival9096 I believe currently they have only shipped through production, for a generous value of production, a version that requires factory OS android.