Stefan Eissing

Oh no! „Squidbleed“ found by Mythos! When using http:// urls via a squid proxy, an attacker might see the data!😱

Maybe we should all be using https: on the internet or expect our traffic to be public. Wait…we already do that since Lets Encrypt started a decade ago!

This vulnerability could have been a bug report.💁🏻‍♂️

https://www.theregister.com/security/2026/06/23/mythos-discovers-squidbleed-a-memory-leak-thats-gone-undetected-since-clinton-era/5260367

Mythos discovers 'Squidbleed,' a memory leak that's gone undetected since Clinton era

Plus more blasts from the past: NetWare, FTP, and HTTP

theregister
Jun 24 at 6:10amWeb
Show threadAriadne Conill 🐰2d ago
@icing like I said, "sysroot injection is the classic pkgconf threat model" 😂
Show threadthe vessel of morganna2d ago
@icing this is such a ridiculously niche configuration lol. still, I'm gonna try and exploit our Sooper Dooper Enterprise Web Filtering Vendor at work tomorrow, who just so happen to have based their product on a 10 year old version of squid (and the hostname of the squid instance is 'TEST' so you know it's extra good)
Show threadKarl2d ago
@icing Reading the vuln report:
Show threadLuck Goddess 🌒🌕🌘 (They/She)2d ago
@icing this is the first time I’ve ever heard of squid so I’m probably super extra safe 🥴
Show threadGuido Gallenkamp2d ago
@icing 😁 https://tuffidon.de/@gg/116652898706278624
Guido Gallenkamp (@[email protected])

Attached: 1 image Hm. Ja, auch ich frage nach 🥲 #https

Tuffidon
Show threadStefan Eissing2d ago
@gg Ha! Aber ich glaube, da hilft auch ein CVE nicht weiter.
Show threadAusrasti2d ago
@icing @gg wir definieren einfach in einem Gesetz, dass HTTP Stand der Technik ist und als verschlüsselt gilt. Es bedarf schließlich besonderer Anstrengung und spezialisierter Werkzeuge, die nicht jeder hat (ich meine, Du brauchst einen Internetanschluss, wer hat den schon in Deutschland)? Und da es Grenzkontrollen gibt und die Daten nur in deutschen Netzen fließen ist doch alles sicher, oder?
Show threadGuido Gallenkamp2d ago
@tux94 @icing Es gibt eine deutsche Sondertaste, mit der man auf "alles sicher machen" umstellen kann.
Show threadStefan Eissing2d ago
@gg @tux94 Das muss die "Trollen" Taste zwischen "Drucken" und "Pause" sein, richtig?
Show threadℂ𝕖𝕝𝕖𝕤𝕥𝕖2d ago
@gg @tux94 @icing * Dobrindt likes your post *
Show threadFossThought2d ago
@icing This article feels like a shill for AI the way she phrases it by putting the humans in the back seat:
"...until AI (and a few humans) saved the day."
Show threadtraecer2d ago
@icing hmm...HTTP...FTP...NetWare‽...yeah, this "vulnerability" should not concern anyone worried about "security" in 2026
Show threadMiah Johnson2d ago
@traecer @icing or 2006 even.
Show threadAatch2d ago

@icing the security industry has always struggled with context when evaluating "security issues".

The fact that somebody could, if they broke through 4 other layers of security gain access to data that isn't actually sensitive anyway isn't the emergency you think it is, Mortimer. The lock on my bathroom door also isn't going to stop people from stealing my toilet paper.

Show threadSlowbiex (Andreas S.)2d ago
@icing missing the big story here: Mythos is first AI to discover time travel!
Show threadtired2d ago
@icing when I forget to lock my session "oh no l, the superbug of amnesiableed"
Show threadferricoxide2d ago
@icing Found before it got embargoed, I guess?
Show threadStefan Eissing2d ago
@ferricoxide As I understood the article, they followed coordinated disclosure.
Show threadferricoxide2d ago
@icing

The embargo on Mythos (and Fable) was only a couple weeks ago. I assume this Mythos-originated finding happened before then and the more-recent disclosure was part of that coordinated-disclosure process.
Show threadStefan Eissing2d ago
@ferricoxide yes.
Show threadSpaceLifeForm2d ago

@icing

They are digging deep to support the bubble.

#AI #Insanity

Show threadEndlessMason2d ago
@icing
If data:// is so good, where's datas:// ?