TimHolus blog - The gibberish of a madman

Communities Blog
121

This is a safe place for people who throw mud at the wall and see what sticks.

You can throw as much mud at the wall as you want! :slight_smile:

1 Like
122

Fair, but I’ll happily receive a 50 cal. to the head. :upside_down_face:

I still couldn’t find a Picard facepalm without signing up for something. :expressionless:

Done and done! For science. :heart:

1 Like
123

Fucking cats… I love them and their contribution to the eradication of hoomans with love, purrs and poops.

2 Likes
124

4c
4c1143×726 127 KB

125
2 Likes
126
1 Like
127
128
129

Goqxoe6W4AA0QyT
Goqxoe6W4AA0QyT1079×1426 185 KB

3 Likes
130

Achieving the perfect score of 10.0 is quite an achievement!

1 Like
131

We’ve got a 0day exploit.

The 0day impacts an organization which provides managed services for Danone, SeaGate, Unity, Shopify, Paramount Pictures, HubSpot, Amazon, PWC, Yamaha, L’Oreal

The exploit was reported, but the vendor ignored it.

In 2024, 2 security researchers discovered a flaw in Bubble-dot-io, a self-described AI-based app development and publishing service.

Upon discovering the vulnerability, these 2 researchers notified Bubble. Unfortunately, for whatever reason, this fell on deaf ears.

These individuals subsequently did a talk on the vulnerability, published a proof-of-concept, and even wrote a paper on it. The code and paper show how easy it is to compromise websites and/or applications on Bubble. Despite all of this, Bubble still did nothing.

These 2 individuals then contacted me to request I relay the message loud and clear: you need to fix your software immediately.

In essence, this exploit allows the execution of arbitrary requests to the applications Elastic search which allows data dumping and/or exfiltration.

The applications encryption workflow is performed in the front-end, because Bubble-dot-io uses fixed IV’s (shared between ALL clients), exploiting Bubble-dot-io is possible due to the creation of arbitrary payloads by abusing the recovery keys.

All tables can be dumped, including custom tables defined as “custom.(table_name)”.

Furthermore, it’s possible to attack other clients from Bubble-dot-io because the application does all hosting internally (shared).

  • Cryptography keys do not rotate, hence an attacker can reuse the same keys in new Elastic searches
  • Timestamps are not verified
  • Attackers can enumerate customer subdomains by fuzzing *.bubbleapps-dot-io domain, making identification of targets easier
  • If domain doesn’t match target, response header will return correct target in ‘X-BUBBLEAPP-NAME’

Supposedly, the companie had a year to fix it and did nothing… The West will never win the cyberwar with China because corporate greed was and is in first place.

1 Like
132
133
1 Like
134

Hmmmm is like the browser, calling the kettle black…

1 Like
135

Go2mz8sa4AA3qMx
Go2mz8sa4AA3qMx606×640 68.6 KB

136

Well, it’s your blog but the following seems relevant to several of your posts:

2 Likes
137

Now this I didn’t know… oh my lore!

1 Like
138

Everyone is welcome here. Everyone can post what they find interesting or important and want to share or discuss. :slight_smile:

139