r000t @r000t@infosec.exchange
Hacker, comedian, RED Scout fan, gold Ekko one-trick. Watching them sorting debris.
Joined Aug 2018
@feditips @jcbrand @SuperDicq @amolith
>Mastodon
>Non-toxic
See attachments. Nobody has called them on the carpet for it. Nobody has called #fediblock on them. Seems toxicity gets a pass when it's on Mastodon.
These posts would be grounds for arrest in quite a few jurisdictions. I have never received a violent threat from a Pleroma user.
@spaaze
Welcome to the fediverse btw.
@spaaze
Oh man... I forgot everything about that about a week after I did it.
When I decommissioned that server, I backed up the VMs but I'm not sure about the hypervisor configs. I'll look when I get home.
r000t
boosted
There's a command to hit up *every* account to make sure it's still valid. Ultimately, all that's going to do is return a bunch of errors for each instance that's down. That command is `tootctl accounts cull`
Once you've identified instances that are gone and aren't coming back, you can purge them individually. `tootctl domains purge <domain>`
@xerz FWIW, any MDM/AD domain profiles I roll out, specifically block the big "anticheat" drivers.
I get to hide behind "opaque kernel blobs bad for security lmao" and the companies get to hide behind "don't play video games on work issued equipment"
@xerz HackerOne ticket I opened this morning.
I gotta give them props for the response time, but that's it.
@xerz iknorite?
They do offer a much larger bounty for anybody who can pop vgk.sys ("Vanguard"),
But at the same time, the exact same rubric says that "Logic flaw bugs leaking or bypassing significant security controls" in "Critical Riot infrastructure (game servers, services in the game loop, Riot accounts infrastructure)" pays between $1,000-$10,000. I got zero, and told that they won't even fix the problem.
So there very well could be bugs in Vanguard, that Riot refuses to admit are bugs
@lanodan Huh, that's weird. The reply from Riot said that *everyone* lets you reuse tokens. Discord was the example they gave.
Because Discord is just such a fucking bastion of internet security.
@lanodan Find out: Try to login twice, super quick, with the same code.
"A 2FA bypass is not a bug because you'd need to know the username and password to use it"
uhhhhh folks what do you think 2FA is for?
Riot Games 2FA implementation is inherently broken: The same code can be used multiple times.
The code is also emailed to you, and email is known to be an insecure channel. You do not have the option to use your own TOTP application to generate login codes.
Riot Games responded to a report saying that the system is "working as intended"
Lesson? Phish Riot accounts. They will do nothing to stop you.
Also, HackerOne is an absolute fucking joke.
If the infosec community can thank cryptocurrencies for one thing, it's that 0days get exposed much quicker (universal profit motive vs. targeting a specific firm), and with potentially less damage than a breach that exfiltrates data.
Also, patch your shit. Also, stop paying for virtualization.
r000t
boosted
Today I learned that unprivileged users can run "systemctl show servicename" to see all the environment variables set in the .service file.
This means if someone sets their AWS_SECRET_ACCESS_KEY in there (or any other secret), it can be read by an attacker even if they don't have read privileges to read the .service file.
For defenders, use EnvironmentFile= instead of Environment= and as long as your environment file has the correct privileges, you will be fine on this front.
Happy Friday everyone!
As a reminder, anticheat "drivers" that run in kernel mode are a spectacularly bad idea, and *every* MDM/BYOD policy I roll out blocks the most popular ones.
Now, they did exactly one thing right:
They don't ask permission to send the code when you log in. They just send it.
Asking things like "Where would you like us to send the code?" or "Is it alright if we send you the code?" gives an attacker a chance to back out before the notification alerts the account owner to the potential breach.
Your auth systems should make attackers noisy. We like noisy attackers.
Riot Games deployed multifactor auth in basically the worst way they could:
1) *only* email 2FA is supported, no TOTP
2) The code is shown in the subject line, making it trivial to steal from streamers, or participants in a video call, or anybody who can wake up a target's phone (no unlock needed)
3) Enrolling your account forwards you through an absolute fuckton of redirects to unrelated domains, including sites for Riot's other games, and their eSpOrTs site.
Abysmal failure.
This should be really fun to watch.
Lesson learned: "The cloud" is an infinitely large (and expanding) attack surface.
Do not purchase "cloud" manageable enterprise equipment. Limit it to an internal management network, and always use TLS, even on internal networks.
Hacker, comedian, RED Scout fan, gold Ekko one-trick. Watching them sorting debris.
Joined Aug 2018
