Lupi

@lupi

cow of tailed snake (gay)

they/them/moo
chimoora.zone/

you can say "chimoora" instead of "cow of tailed snake" if you want. its a good pun.

i ramble about aerospace sometimes
I take rocket photos and you can see them @aWildLupi

I have a terminal case of bovine pungiform encephalopathy, the bovine puns are cowmpulsory

they/them/moo where "moo" stands in for "you" or where it's funny, like "how are moo today, Lupi?" or "dancing with mooself"

᠎
Bovigender (click flag for more info!)

twitter

twitter.com/awildlupidragon

twitch

twitch.tv/lupidragon

Lupi @lupi5/24/2023, 2:05 PM

🌌🐈🐉@kda

@lexi5/2/2023, 10:09 PM

I AM FUCKIGN CRYING I WANTED TO SHOW A VULN TO SOMEONE AND FUCKING EDGE GAVE ME THE FUNNIEST FUCKING POPUP IVE EVER SEEN

THIS LITERALLY JUST POPPED UP OUT OF THE BLUE AND IVE LAUGHED SO HARD THAT MY LUNGS HURT

@lexi5/24/2023, 12:13 AM

LPT: don't even try to use MS's bug bounty program, just sell your microsoft-related vulns

Hello,

We have assessed this case as Low Impact which is not eligible for bounty. You are eligible to be acknowledged from the CVE that will fix this case.

Kind regards,

Jim
MSRC

i did not have high hopes for a bounty but low impact? come on that's just insulting

mind you, this vuln can get you access to like 20 permissions that you should only get with the user's consent. low impact my ass lmao

@lexi5/24/2023, 1:45 PM

i am actually going fucking insane. it got a lot worse

i wish i could share this here because i am actually close to going feral over this.

the low impact assessment is somewhat right, at least in their eyes, because they have a fucking fundamental misunderstanding of fucking web security

in fairness, i cant leak the full context, but essentially they think that a vuln that can be triggered via JS/HTML REQUIRES PHYSICAL ACCESS TO THE VICTIMS MACHINE.

I WISH I WAS FUCKING JOKING

i can't share the exact details without leaking parts of the vuln itself so im gonna have to make a followup to this once it got fixed but JESUS FUCKING CHRIST HOW FUCKING DENSE ARE THEY

if you are using edge: please switch browsers immediately, their security team is full of amateurs. i am not joking, please stay as far away from it as possible

edit: for context for the last paragraph, this apparently went through several people and nobody noticed it (if the msrc guy did not lie to me).

read full email exchange (yes msrc does not use the fucking msrc portal but emails security researchers lol)

from MSRC:

Hi ,
Here's an update on your case:
MSRC Case [censored]

We confirmed the behavior you reported. We'll continue our investigation and determine how to address this issue.

Please let me know if you have additional information that could aid our investigation, or if you have questions.

Thanks!

J
MSRC

from MSRC:

Hello,

We have assessed this case as Low Impact which is not eligible for bounty. You are eligible to be acknowledged from the CVE that will fix this case.

Kind regards,

Jim
MSRC

from me:

Hey there, may I ask why this is only Low Impact? This can easily lead to [censored], and can leak a lot of sensitive data. For example, a similar bug on Chromium BBP (which I think can be compared to the Edge BBP, both are for major browsers after all) that abuses the same underlying issue [censored] got rated as High Impact and got bountied: [censored]. Would be nice if someone could look into this again.

from MSRC:

Hello,

We have examined this issue several times and the assessment is low impact because an attacker must have local access to the machine.

I hope this helps?

Kind regards,

Jim
MSRC

emphasis on "We have examined this issue several times". holy fucking shit

You must log in to comment.

in reply to @lexi's post:

\phi @phi5/2/2023, 11:03 PM

[ Got it ]

\phi @phi5/2/2023, 11:05 PM

I appreciate their confidence thaf u hav noffing to say to thaf, meowf

in reply to @lexi's post:

Foxtrot ΘΔ🐺@Foxtrot685/24/2023, 1:59 PM

jesus fucking christ, what are they even doing there if they can't grasp something this basic, physical access??????

@lexi5/24/2023, 2:00 PM

i have no clue and i sincerely hope nobody unironically uses edge because if they cant grasp that then i dont want to know how many holes this excuse of a browser has

ruby @srxl5/24/2023, 2:00 PM

incredibly normal behaviour

jeroknite @jeroknite5/24/2023, 2:04 PM

It's called a website because you physically have to go to the site the servers are located at

Gay Eminem on 9/11 @DecayWTF5/24/2023, 2:05 PM

I am going to become the fucking joker.

Tenna Lotor @tenna5/24/2023, 2:06 PM

........what.

ash?!@estrobiologist5/24/2023, 2:29 PM

no fucking way.

Alex Froio @dukecarge5/24/2023, 2:29 PM

They're literally too big that they can't even do proper security vuln assessment. This is insane

lea @lea5/24/2023, 2:31 PM

bug bounties aren't real. they're just an accounting trick to make not paying them out look like saving money

in tuft we trust @tit5/24/2023, 3:03 PM

oh i straight up deleted edge because i kept tapping f1 in games by accident and getting yeeted to Get Help (with Windows)

No Man's Skye @AmanitaVerna5/24/2023, 4:42 PM

Oh my Gods? Baffling that they could be so incompetent.

Nire Bryce @NireBryce5/24/2023, 4:49 PM

gotta do the thing you have to do with any bug: find someone who works in security they'll respect, or someone who works for Microsoft and gets it, and tell them to escalate it. but demand credit for bounty.

it sucks but like, soft-nepotism is the way the bigcorp world works

@lexi5/25/2023, 12:20 PM

oh yeah i know a guy who knows a guy whos pretty high in microsofts food chain so im not that worried. i am just so baffled at their incompetence because literally someone who has no clue about infosec would get this

Nire Bryce @NireBryce5/25/2023, 12:28 PM

yep

anuw @anuw5/25/2023, 12:37 AM

I hope this helps?

@lexi5/25/2023, 12:20 PM

no, jim, no it does not

Pinned Tags