Iâve looked through the available info and everything adds up. Yes, it seems that activists managed to archive at least 30TB of #Parler data. Itâs now safe to use the past tense when speaking about Parler. Even ignoring the technical difficulties, there is no coming back from that.
Hi #Twitter, this âbrowserâ is the current Thunderbird release, a mail and RSS client. Its capabilities are no different from Firefox 78. How about you detect Gecko rather than detecting Firefox?
Better yet, do feature detection instead of UA sniffing: https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent
Wonderful how #Exim team fully recognizes that the use_shell option is a massive security footgun. So they warn users. In a separate document, not linked from the optionâs documentation. Never mind not explaining which characters are ok, so users are bound to get it wrong.
âAnd so the Honey extension also has [obfuscated JavaScript] VIM code that will run in the context of the extensionâs background page. It seems that the purpose of this code is extracting user identifiers from various advertising cookies.â #Honey
âThis time, there is no point decoding the base64-encoded data: the result will be binary garbage. As it turns out, the data here has been encrypted using AES, with the start of the string serving as the key.â #Honey
âAre you saying document.querySelector()? No, guess again. Is anybody saying jQuery? Yes, of course it is using jQuery for extension code as well! And that means that every selector could be potentially booby-trapped.â #Honey
âWhy did they even bother with this complicated approach? Beats me. I can only imagine that they had trouble with shops using CSP in a way that prohibited execution of arbitrary scripts. So they decided to run the scripts outside the browser where CSP couldnât stop them.â #Honey
Thatâs a weird one â the below is an exact copy of Firefoxâ about:neterror page, but itâs apparently being served by #Cloudflare (?) as a 404 page. Itâs even using browserâs own scripts and styles which is rather dangerous since these could change. I fail to see the pointâŚ
Update: today #Giggleâs @salltweets@twitter.com published a new statement. Itâs a good first step, though for my taste itâs a bit thin on reflection of her own role in this mess. Whatâs still missing however is some statement on the privacy issues. Will these be fixed as well eventually?
The bad news: @salltweets@twitter.com threatens to sue the researchers unless they let her approve the publication first. They kindly decline, as they should. And she shares that communication publicly as well, somehow assuming that it puts her in a better light?
Somehow, the email communication still happened, the right person received the report and confirmed it. So a bit later today @salltweets@twitter.com started sharing the image below â without retracting any of her claims, somehow assuming that this reinforces her points.
So today she proceeded by once again attacking the researchers and criticizing journalists who were asking her about the security vulnerability, restating that it didn't exist.
And she claims that @DI_Security@twitter.com researchers publicly called her a transphobe. Not sure what this is about, I could only find a tweet by @daeken@twitter.com who appears to have no relation to the researchers. Judging by the way @salltweets@twitter.com responded she thinks otherwise.
She says that they should have emailed technical department directly â yet from a brief look I cannot find the corresponding email address anywhere. From experience, emailing technical support about vulnerabilities is a bad idea. So Twitter is a valid way to approach a company.
Software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant