store string byte

@stosb

wearer of programming socks

she/her

mid 20s | bisexual | programmer | european

profile pic: a picrew by Shirazu Yomi

picrew.me/en/image_maker/207297

i use arch btw

xenia the linux fox -> 🦊🏳️‍⚧️

the moon

🌙

store string byte @stosb3/25/2024, 11:39 PM

great osdev actually 🏳️‍⚧️@mothcompute

@lexi3/25/2024, 10:45 PM

yknow, the funniest thing about the whole "oh cohost can leak your ip to users!!! don't use it!!!" thing is that people assume that this isn't the case on other sites.

i occasionally do security research and found a funny little niche: security mechanisms specifically on social media, and good god, you would not believe the things that ive seen. the exact same thing does happen on the other sites too. twitter is like swiss cheese in terms of security features, reddit should not be allowed to use regular expressions (you genuinely would not believe the regices ive seen in prod), etc etc. they are all insecure.

if your IP is part of your threat model, use a VPN. all websites are leakier than you think, and social media sites are some of the worst offenders.

don't worry about hotlinking on here. we already live in hell and hell is hot, so we might as well have some fun with it

You must log in to comment.

in reply to @lexi's post:

Panda @panda-monium643/26/2024, 12:00 AM

Is that the thing people are saying now? First a smear campaign about the main admin and now this?

@lexi3/26/2024, 12:25 AM

not been very online for a while now but from what i can tell yes lol

rafaquatro @rafaquatro3/26/2024, 1:17 AM

somebody here in brazil "leaked" the private ip address of a machine in the private network of their workplace and people harassed them saying it was a big security risk

unarei @noa3/26/2024, 5:27 AM

my ip is 192.168.0.179 dont hack me.

there is some risk to knowing private ips if you can get someone to navigate to a webpage that does fetch requests to internal IPs on internal pages that aren't secured properly, but probably not for knowing the ip of someone's computer?

@lexi3/26/2024, 8:40 AM

i was working on a web app that allowed communication with local devices a few years ago, and it is surprisingly secure! without a CORS header you can only send OPTIONs, and everything besides HTTP is completely out of the window. so without explicit consent you're not getting anything out of an internal page.

also, port scanning is trivial to implement, so i don't even have to know your private ip.

also, my ip is - *checks ~~notes~~ whatsmyip* - 146.70.117.172. private IP is 192.168.43.3, VPN IP is 100.0.1.5. feel free to hack my firewall :)

unarei @noa3/26/2024, 8:43 AM

Can't you send POSTs using forms? That's what CSRF attacks are about. Or is that blocked for local IPs?

@lexi3/26/2024, 8:46 AM

well, that is possible but entirely write-only. you'd have to know the IP, what software, and what vulnerable endpoint, and you could not retrieve any response, rendering pretty much any attack useless