this post was submitted on 28 Jan 2024
316 points (99.1% liked)

Technology

59311 readers
6258 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] diffusive@lemmy.world 5 points 9 months ago (1 children)

Not the commenter but it seems like the parameters of the HTTP Get/Post weren't protected/checked. The API was likely something like: Email to reset: string(email account to reset) But it accepted something like: [string(email account to reset), string (email to which the reset mail is sent to)]

[–] anarchy79@lemmy.world 1 points 9 months ago* (last edited 9 months ago) (1 children)

Little Bobby Tables? Or would that be an XHR attack?

[–] diffusive@lemmy.world 2 points 9 months ago

Bobby table, this, buffer overflow... Are all similar in spirit.

Bobby table is a way for hiding the malicious SQL query after a normal query (in that case after the select with "Bobby" you inject the malicious drop table)

In this case after the normal email (that normally would serve for both identifying the user and for the mail to send the recovering mail), the attacker sends two mails, the first is fo identifying the user the second to send the recovering mail

In the case of buffer overflow you inject malicious code after normal(-ish) data

It's not an XHR attack since for the mail recovery workflow you don't need an authenticated session.

To be a bit more compassionate to the developers, this is probably some dynamic typing problem. Probably ruby is "smart" into understand that an array can contain strings after all... So an array of strings is as good as a string... But here we go into static vs dynamic typing.... And it's a bit of religious war (fun fact in 2011 i was advocating with Guido Van Rossum in having at least an optional static typing check in Python - at the time the discussion was how to make python faster/compiled - and he was borderline mocking me 😅 and few years after pytypes but still no compilation at horizon 😂)