Mastodawn

solid-snail Dec 15, 2023

New post talk about RCE in npm search, and other vulnerabilities in terminal applications.
https://blog.solidsnail.com/posts/npm-esc-seq

npm search RCE? - Escape Sequence Injection

How many programmers does it take to filter out 36 characters? You may think this is an opening to a joke, but it’s not.

solid-snail blog

solid-snail Dec 5, 2023

Ars Technica Dec 5, 2023

Beeper Mini on Android claims to have reverse-engineered iMessage compatibility

Co-founder says it's a security improvement for everyone and should be legal.

https://arstechnica.com/gadgets/2023/12/beeper-mini-on-android-claims-to-have-reverse-engineered-imessage-compatibility/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

Beeper Mini for Android sends and receives iMessages, no Mac server required

Co-founder says it's a security improvement for everyone and should be legal.

Ars Technica

solid-snail Dec 5, 2023

This one is a bit different from my previous post.
I basically reported a feature as a vulnerability, not a bug.
https://blog.solidsnail.com/posts/vscode-shell-integ-rce

It’s not a Feature, It’s a Vulnerability

It takes a special kind of person to name a company after their own body part. Fortunately the Microsoft Security Response Center doesn’t seem to have inherited that kind of mentality, because when I have reported not a bug but a feature as a vulnerability - they accepted it.

solid-snail blog

solid-snail Sep 12, 2023

My first write-up.
Vulnerability I discovered.
Getting RCE from terminal output.
https://blog.solidsnail.com/posts/2023-08-28-iterm2-rce

From Terminal Output to Arbitrary Remote Code Execution

It was the year of the Linux desktop 1978. Old yellowed computers were not yet old, nor yellowed. Digital Equipment Corporation released the first popular terminal to support a standardized in-band encoding for control functions, the VT100.

solid-snail blog