Merryvanncapy/bara
world's largest rodent
fuck 10mo ago#5925549
spent 0 currency on pings
she thought you could run remote javascript with it, which would allow the attacker to run a keylogger on your browser or do other harmful shit like that
dang. u have to imagine with me because there's impressionable youths in my vicinity but I'm imagining going to an image search and finding a picture of a hot chastity belt, and inserting that here as a comment
(the following is not backed by any reputable authority)
i'm pretty sure most browsers at this point take extra measure to stop this attack, or at least cut it off from websites outside of the attack domaim (in this case rdrama)
otherwise anyone could just get u on a website that's secretly theirs and frick up ur whole shit like scrape up ur bank details and other doxx info.
the really annoying thing is the keylogging which means they'd be able to see ur DM's as you type them.
or if an admin gets caught they can turn every click of a mouse into a "ban last user who posted" event
But darn, not even an ethical blackhatter Imagine if some poor script kiddy actually paid for this r-slur's bottom surgery just to find out that it didn't work because he didn't actually confirm his assumptions
Jump in the discussion.
No email address required.
Can someone explain what @transb-word thought xer exploit could do? Even if it was nothing in the end, wtf was it?
For all I know it could be a way to steal everyone's password or something
Jump in the discussion.
No email address required.
she thought you could run remote javascript with it, which would allow the attacker to run a keylogger on your browser or do other harmful shit like that
more info on that: https://en.wikipedia.org/wiki/Cross-site_scripting
in reality, the most harm it could do was just change the page layout a bit (due to our CSP), and that was fixed now
Jump in the discussion.
No email address required.
Does this have anything to do with why we have to make an account to browse the site now and why this cloudflare message shows up?
Jump in the discussion.
No email address required.
only so far as "Capybaras can't make a functional website"
Jump in the discussion.
No email address required.
we're being DDOS'd intermittently
Jump in the discussion.
No email address required.
Any idea who's doing it? ?
Jump in the discussion.
No email address required.
not a clue
Jump in the discussion.
No email address required.
I might be doing so unintentionally, my VPN has really volatile reactions with my mobile network.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Directly Determined Of Shitcode
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
nope
Jump in the discussion.
No email address required.
More options
Context
More options
Context
What the frick is CSP?
God darn codecels and their acronyms
Jump in the discussion.
No email address required.
https://en.wikipedia.org/wiki/Content_Security_Policy
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
You shouldn't coddle the weblets.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Contain, Secure and Protect
Jump in the discussion.
No email address required.
There has to be an SCP about dyslexia
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Child Service Protection
Jump in the discussion.
No email address required.
More options
Context
Coochie Security Policy
Jump in the discussion.
No email address required.
dang. u have to imagine with me because there's impressionable youths in my vicinity but I'm imagining going to an image search and finding a picture of a hot chastity belt, and inserting that here as a comment
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
wtf ban all programmer socks users immediately
Jump in the discussion.
No email address required.
(the following is not backed by any reputable authority)
i'm pretty sure most browsers at this point take extra measure to stop this attack, or at least cut it off from websites outside of the attack domaim (in this case rdrama)
otherwise anyone could just get u on a website that's secretly theirs and frick up ur whole shit like scrape up ur bank details and other doxx info.
the really annoying thing is the keylogging which means they'd be able to see ur DM's as you type them.
or if an admin gets caught they can turn every click of a mouse into a "ban last user who posted" event
Jump in the discussion.
No email address required.
that's good if xhe is too much of brainlet to get around those extra measures. not that it matters, i'm perma-logged in and idc about ppl in my DMs.
still, all valids need to be banned for even thinking of doing brazen shit like that
Jump in the discussion.
No email address required.
More options
Context
This should be implemented as a 1:10000000 chance event just for funsies
There's a precedent for it too, when /r/drama banned 90% of subscribers at random during their 100k celebration (that i got banned during)
Jump in the discussion.
No email address required.
no you didn't
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
faked image
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
Once again the Pharaohs is protecting his many subjects with his wisdom.
Thank you Moon and Stars
Jump in the discussion.
No email address required.
More options
Context
Is the part about a "crafted media file which also happens too be valid JS" just bullshit?
trans lives matter
Jump in the discussion.
No email address required.
yeah bullshit for 2 reasons
we reencode all video files to .mp4
nginx automatically sets a content-type of "video/mp4" to all videos we serve
so you can't really do that
Jump in the discussion.
No email address required.
Trans lives matter
Jump in the discussion.
No email address required.
Sometimes you just get overexcited
But darn, not even an ethical blackhatter Imagine if some poor script kiddy actually paid for this r-slur's bottom surgery just to find out that it didn't work because he didn't actually confirm his assumptions
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
Jump in the discussion.
No email address required.
I laughed gg
Jump in the discussion.
No email address required.
More options
Context
More options
Context
That's why I use NoScript.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context