August 20, 2022
Continuing to analyse the Instagram iOS app, I found something new:
Besides injecting pcm.js (as covered last week), Instagram also injects JavaScript code to observe all taps happening inside their in-app browser, like clicking on buttons, links or images. 
-
This new trick for turning any PHP LFI to RCE is awesome! I've been wondering why it didn't get more attention since it works better than any other LFI2RCE techniques out there (such as expect://).Props to @loknop for publishing this technique initially👏
book.hacktricks.xyz/pentesting-web…
-
FSB screwed up their intelligence on Ukraine.
https://www.washingtonpost.com/world/interactive/2022/russia-fsb-intelligence-ukraine-war/-
When ‘Tsarbucks’ was right there for the taking?
-
I just published a writeup of yet another actively exploited vulnerability in Zimbra - patch your ZCS (or burn it down) ASAP!
Combined with an 0-day privesc bug from last October (CVE-2022-37393), this is remote root. Again.
-
“It’s a phishing vessel” - [credit: Eric Capuano]
China denies that the Yuan Wang 5 is any form of "spy" ship or has any military function. They say it's purely a civilian ship.
The ship:
-
Lloyd’s of London will require its insurer groups globally to exclude catastrophic state-backed hacks from stand-alone cyber insurance policies starting next year.
-
RAND: China's Weapons Exports and Private Security Contractors (Aug 2022) rand.org/pubs/tools/TLA…
Direct link to document (3.6MB .pdf, 4 pages) rand.org/content/dam/ra…
-
The VIASAT hack impacted French emergency services in some capacity.
Very interesting reporting in 🇫🇷 where we learned that VIASAT impacted French first urgency services backup relays for the emergency numbers 15🚑 & 18🚒
↘️
BGPilliet @bgpilliet
-
Will this be a chance for the Space Force to actually do something if the Russians move to disrupt this channel?
One of the big untold stories of the war is the massive quantity of commercial (and non-commercial) satellite imagery being funnelled to Ukraine for military purposes.
Shashank Joshi @shashj
-
TIL there is a wild "Military use" section on the wikipedia page of one of our more popular folk songs @cstross
-
I marvel at the new ways people figure out to scam and defraud each other.
Do you know a simple signature in Metamask can drain your wallet?
A very experienced user (top 10 by Degen Score) lost almost 500k USDC in an exploit today.
You could be next...
A short thread how it happened and how you can avoid such exploits in future.
-
Great paper on how we abuse history to rationalise and justify whatever we want. Also, on Sparta. Which was terrible.
https://eidolon.pub/this-is-not-sparta-392a9ccddf26-
Not to brag or anything, but the Glasshouse Centre for the Cyber Arts had an excellent guest interview:
-
Will Dormann @wdormann
-
-
iOS and MacOS recently started parsing media codec parameter sets in the kernel, leading to bugs like this
-
I obtained the investor pitch deck Erik Prince used to raise €5 million for his Unplugged security phone. He describes the upcoming $850 phone as “impenetrable to interception and surveillance” thanks to “government-grade encryption.” Let’s go through it.
-
Fascinating paper. What makes a reverse engineer an expert. And what techniques do they use vs novices.
'All the best reversers were not fastest only because they could read and understand the code faster, but also because they reversed less code' 🔥🔥
usenix.org/system/files/s…
-
the existence of bong hits implies the existence of bong misses and a bong acquisition & tracking system
-
-
As a fan of identifying situations where random action beats human judgement in expectation, viewing divination as an RNG for such situations is a fascinating perspective.
Helen De Cruz @Helenreflects
-
Bang!!
A fantastic image of USAF pilot Chris Striklin ejecting from his F-16 aircraft at an altitude of just 140 feet. The pilot (of the 'Thunderbirds' 2003 aerobatic team) survived, but his F-16 was not so lucky. Thankfully it crashed in an empty area of the display ground.
-
-
-
Don't miss what's next. Subscribe to the grugq's newsletter: