tag:blogger.com,1999:blog-8508344381521415235.post6739988406450729324..comments2024-02-10T02:19:53.889-08:00Comments on Egor Homakov: How I hacked Github again.homakovhttp://www.blogger.com/profile/10492045246792330280noreply@blogger.comBlogger49125tag:blogger.com,1999:blog-8508344381521415235.post-49288958510943023812016-06-28T07:19:22.976-07:002016-06-28T07:19:22.976-07:00I charge more than you for creating this type of f...I charge more than you for creating this type of flaw. Perhaps we should get together? I could get paid to create these bugs, you can get paid to find the ones I tell you about, and then I can get paid again to fix them ;)<br /><br />Nice write up and good work. Btw: quoting a day rate is more professional and more appealing to corporate clients.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-90181096248322198442015-08-28T07:56:25.193-07:002015-08-28T07:56:25.193-07:00because there was no warning - since it is the ori...because there was no warning - since it is the original github client and pre-approved app, you could approve even the scopes the Gist client never needed (such as "repo" scope). This is why auto approving is bad, should warn the user firsthomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-24952077031105091502015-08-20T11:15:07.545-07:002015-08-20T11:15:07.545-07:00I'm actually confused with bug 5, I don't ...I'm actually confused with bug 5, I don't know why you established it as a vulnerability when in GitHub webpage says you can do that:<br /><br />https://developer.github.com/v3/oauth/#scopes<br />---------------------------------<br />NOTE: Your application can request the scopes in the initial redirection. You can specify multiple scopes by separating them with a comma:<br /><br />https://github.com/login/oauth/authorize?<br /> client_id=...&<br /> scope=user,public_repo<br />---------------------------------------------------<br /><br />Can you please make this clear to me?<br /><br />Thanks in advance.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-78875026652269745682015-06-19T05:58:19.913-07:002015-06-19T05:58:19.913-07:00Brilliant!!! :)Brilliant!!! :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-24859769107041950712015-01-11T04:04:53.471-08:002015-01-11T04:04:53.471-08:00Lol +1Lol +1Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-82136656404101661162014-06-18T15:51:01.553-07:002014-06-18T15:51:01.553-07:00yesyeshomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-29602958152435433552014-06-16T23:18:41.196-07:002014-06-16T23:18:41.196-07:00can you tell what is a "user agent " on ...can you tell what is a "user agent " on Bug 4.. is this the browser??adrian ishttps://www.blogger.com/profile/06107604678086048915noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-58493556409243342312014-06-16T23:14:36.054-07:002014-06-16T23:14:36.054-07:00can you tell what is a "user agent "can you tell what is a "user agent "adrian ishttps://www.blogger.com/profile/06107604678086048915noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-16577555149301677342014-02-13T20:52:17.353-08:002014-02-13T20:52:17.353-08:00But Anderson already wrote everything clear. Wrong...But Anderson already wrote everything clear. Wrong redirect_uri = no token backhomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-53466051486733353772014-02-13T01:14:20.320-08:002014-02-13T01:14:20.320-08:00Could you please answer this question about bug 2 ...Could you please answer this question about bug 2 ? http://security.stackexchange.com/questions/44214/what-is-the-purpose-of-oauth-2-0-redirect-uri-checkingAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-59924978408950134482014-02-11T16:59:37.543-08:002014-02-11T16:59:37.543-08:00You're talented. great work!You're talented. great work!summerhttps://www.blogger.com/profile/08401676695283474196noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-72407560094447673412014-02-08T23:18:49.402-08:002014-02-08T23:18:49.402-08:00Please ignore the trolls. Awesome work. Instead of...Please ignore the trolls. Awesome work. Instead of focusing on how you did it, they got stuck on the pay, which tells me that they are envious of your position.<br /><br />On a side note, I am amazed to see this sorta bugs from github.<br /><br />Anyway, great work. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-71461460373762002082014-02-08T13:25:14.233-08:002014-02-08T13:25:14.233-08:00I am surprised by Bug #1 - path traversal. :O
I n...I am surprised by Bug #1 - path traversal. :O<br /><br />I never expected such a bug from GitHub guys! Testhttps://www.blogger.com/profile/02278893351106395219noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-79723040266284237282014-02-08T12:51:06.194-08:002014-02-08T12:51:06.194-08:00You have excellent choice in donation swag, anon. ...You have excellent choice in donation swag, anon. Maybe I can take it down a notch by getting you a "my other Guy Fawkes mask is in my Secret Fawkes's-Cave" bumper sticker and we can quit having anonymous 5-ways.<br />That way, the anonymous party celebrating progress quest Illuminati-styles with this article until 7 the next night isn't so confusing and does not conflict with the 4K meme party inspired by the same article (and kittens.)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-18969548924159242812014-02-08T12:12:15.317-08:002014-02-08T12:12:15.317-08:00sorry. no matter what you charge for your knowdled...sorry. no matter what you charge for your knowdledge and pattern recognition. they are far away from "secure". stating something else is just ignorant. that what you and some of these other "hire me" posters do is nothing then messing around with a dead horse on one of the last abstraction layers.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-54528867601835594632014-02-08T10:32:49.466-08:002014-02-08T10:32:49.466-08:00I would donate to you, except I would expect the n...I would donate to you, except I would expect the next day you would roll up in front of my house in a U-Haul as the new legal owner of my furniture, clothes, vehicles, and the copper piping in my house.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-19753188595050744242014-02-08T02:38:11.343-08:002014-02-08T02:38:11.343-08:00I create a markdown Gist file, it can contain some...I create a markdown Gist file, it can contain some limited HTML and imgshomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-9747215429021248832014-02-08T01:27:28.808-08:002014-02-08T01:27:28.808-08:00Start learning OAuth; how to implement it, how it ...Start learning OAuth; how to implement it, how it works, etc. Without knowing how OAuth works these bugs become hard to track down.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-12037600583480641412014-02-07T23:49:11.589-08:002014-02-07T23:49:11.589-08:00me too...me too...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-77147270991624716352014-02-07T20:58:39.927-08:002014-02-07T20:58:39.927-08:00How do I become you egor? How does one become expe...How do I become you egor? How does one become expert at discovering security exploits? I feel like this is what I want to do as I am growing tired of creating web applications or mobile apps for clients. Would you care to write an article on aspiring pen testers?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-13151202972205654972014-02-07T18:31:38.630-08:002014-02-07T18:31:38.630-08:00Great works and very impressive !! A bit sorry of ...Great works and very impressive !! A bit sorry of seeing a bunch of negative comments. <br />Keep the rate and don't let people undervalue quality work.. Anonymoushttps://www.blogger.com/profile/10071398632442126524noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-32508804549723721572014-02-07T17:45:21.452-08:002014-02-07T17:45:21.452-08:00You inspire me, thanks for being awesome!You inspire me, thanks for being awesome!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-72071761521346267402014-02-07T17:03:49.452-08:002014-02-07T17:03:49.452-08:00You steal a token of the user = you can do anythin...You steal a token of the user = you can do anythings without 'website' in the middle. And if scope was bigger, as in this case, you can do more things, which website doesn't even serve functionality for.homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-58446481640530722912014-02-07T16:34:49.093-08:002014-02-07T16:34:49.093-08:00I always find these security related blog posts am...I always find these security related blog posts amuzing, probably because I have zero knowledge in the field... Could you suggest a few sources that a novice / intermediate web developer should look into in order to start learning about security and vulnerabilities? I know the web is full of XSS, SQL, CSRF whatnot articles but every one I find seems very shallow.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-69703123983362737072014-02-07T16:30:58.010-08:002014-02-07T16:30:58.010-08:00If they would hire *me* 5 months ago I'd find ...If they would hire *me* 5 months ago I'd find the same chain 5 months ago. 5 months ago of being secure.homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.com