fsebugoutzone.org:9999

       Post 9tGsADSPvClmqUS240 by sirikon@plaza.remolino.town
 (DIR) More posts by sirikon@plaza.remolino.town
 (DIR) Post #9tGsADSPvClmqUS240 by sirikon@plaza.remolino.town
       2020-03-22T16:32:19.531529Z
       
       0 likes, 1 repeats
       
       If you&#39;re doing something in Node that involves very important secrets being sent around, consider this:*Any* part of your software, including third party packages, can import stdlib libraries like &#39;https&#39; and replace the methods with fake ones, performing a mitm.With this snippet I was able to intercept user&#39;s password while being sent in a HTTPS request, in a project of mine, that will definitely re-write in something else.
       
 (DIR) Post #9tGxZZD4gOjvJvBMno by lvl@fosstodon.org
       2020-03-22T17:40:55Z
       
       0 likes, 0 repeats
       
       @sirikon Interesting, but isn&#39;t this applicable to all programming languages? There&#39;s no MITM, as a library is part of the application, and it also has access to application memory. There&#39;s no memory segmentation for libraries. If ANY part of your software uses a third party package, which is malicious, you can do &quot;MITM&quot; by poking at memory.
       
 (DIR) Post #9tH0H5R0wn4Ncla9T6 by sirikon@plaza.remolino.town
       2020-03-22T18:06:23.381648Z
       
       0 likes, 0 repeats
       
       @lvl Maybe MITM isn&#39;t the correct term to describe it.What I wanted to say is: Without any memory poking from the outside, in a high level language like JavaScript without raw memory access, from any normal-looking package that doesn&#39;t require Node-GYP related stuff, you can access to this kind of information. That&#39;s a context that pretty much anyone would assume as safe enough to temporally store a password in a variable that won&#39;t be shared with any third party library, only the stdlib.This is something that can be done by default in Node, but can&#39;t be done in many other languages, not by default or without explicitly adding some kind of flag or AST transformer.Also, the Node community is used to have a *lot* of dependencies in the dependency tree and not caring at all.
       
 (DIR) Post #9tH0H5qBRDCcspMFhQ by lvl@fosstodon.org
       2020-03-22T18:11:12Z
       
       0 likes, 0 repeats
       
       @sirikon the same applies to python, PHP and most likely other interpreted languages.