fsebugoutzone.org:9999

       Post AHgHwvfCHOJQFvZCDI by Spec@nicecrew.digital
 (DIR) More posts by Spec@nicecrew.digital
 (DIR) Post #AHgGjj4pfH93V6hKHg by rob@nicecrew.digital
       2022-03-22T19:33:54.696243Z
       
       2 likes, 1 repeats
       
       Standard.
       
 (DIR) Post #AHgGrQ5i8aGyvxmGNU by BajaTex@nicecrew.digital
       2022-03-22T19:35:18.025718Z
       
       2 likes, 0 repeats
       
       this is what happen when you simultaneously try to code gatekeeping and scalability at the same time
       
 (DIR) Post #AHgH2baVjVg7mAW968 by rob@nicecrew.digital
       2022-03-22T19:37:19.367148Z
       
       2 likes, 0 repeats
       
       Welcome to the Special Olympics of Social Media :)
       
 (DIR) Post #AHgHwvfCHOJQFvZCDI by Spec@nicecrew.digital
       2022-03-22T19:40:43.828015Z
       
       1 likes, 0 repeats
       
       Years of this crap. Years. How many people threw money at Gab and they still can&#39;t get a crucial social media thing (reposting) to work properly.At what point are more people going to realize to not spend any more money on Gab?
       
 (DIR) Post #AHgHww9gS2hNmTpXjU by rob@nicecrew.digital
       2022-03-22T19:47:29.940034Z
       
       1 likes, 0 repeats
       
       Probably right after they realize Facebook might bot be okay to use at all.…if we’re lucky.This is why it’s best to leave these retards stuck in yesterday, defenseless, and unable to fend for themselves :)
       
 (DIR) Post #AHgwSez9otXLxlaX9U by alex@gleasonator.com
       2022-03-23T03:21:21.355812Z
       
       18 likes, 1 repeats
       
       When Gab got hacked last year, they were scrambling to figure out how to stop it. They patched the SQL injection, but a bunch of verified accounts like Babylon Bee were still spamming shit. Gab made a post, something like “oh no, we’re getting hacked again! Don’t understand why.” I watched from a distance and after like 4 hours with no solution, it occurred to me the hacker had just downloaded the oauth_tokens table during the initial attack and was reusing them. So I messaged fosco and wrote “You should delete the oauth_tokens table.” He never replied, but not 20 minutes later Torba announced they solved the problem, by deleting all the oauth tokens. Not sure if you were still there during that.
       
 (DIR) Post #AHgwjUssd4qHYcgGJM by RustyCrab@kiwifarms.cc
       2022-03-23T03:24:27.263805Z
       
       1 likes, 0 repeats
       
       @alex @rob how does one obtain oauth tokens in the first place
       
 (DIR) Post #AHgx5FERVL33Nr8W4O by RustyCrab@kiwifarms.cc
       2022-03-23T03:28:23.166811Z
       
       1 likes, 0 repeats
       
       @alex @rob I don&#39;t really have enough real world security experience to know how somebody could just go &quot;hero derp database&quot; without just wildly incompetent secirity... Or an inside leak
       
 (DIR) Post #AHgxm3pll1rmUB0nia by rob@nicecrew.digital
       2022-03-23T03:36:08.927877Z
       
       7 likes, 3 repeats
       
       What happened was [a developer] committed a security vulnerability - a query susceptible to SQL injection - which allowed an attacker to pretty much fetch whatever they wanted. So, they did.The attacker saw the exploit by monitoring Gab’s GitLab repository for changes. As soon as they saw this “feature” they immediately moved and lifted the entire OAuth token table. The attacker can only be described as “intimately familiar” with Mastodon, knew what to be looking for, and caught the mistake instantly.The bug was fixed (but now wasn’t the only problem to deal with), and git history was re-written to cover up “who dunnit” in the code.Gab then later shut down access to Gab Social on their GitLab, and moved to only making the code available as a “tarball” that they update “whenever” - which explores the terms and conditions of AGPLv3 to say the least. I don’t know if they’ve restored access to the repo or are still distributing a tarball.It was not an inside leak. It was a Computer Science 101-level programming error that got immediately exploited by someone who was camping the GitLab looking for anything they could use.
       
 (DIR) Post #AHgxtmyALMCEUvclo8 by rob@nicecrew.digital
       2022-03-23T03:37:32.731700Z
       
       5 likes, 0 repeats
       
       I was “at” Gab but not really, and had exactly nothing to do with Social by this time. They were &gt;&gt;&gt; over there &gt;&gt;&gt; getting slapped in the face, and I was just doing the Happy HYDRA thing finishing Gab TV trying to quit.
       
 (DIR) Post #AHgyBUfL8PY8wVGEu8 by woe@nicecrew.digital
       2022-03-23T03:40:44.680914Z
       
       0 likes, 0 repeats
       
       Be thankful for attackers with the chops to rapidly exploit something, and the complete lack of self control or creativity to make it really hurt.
       
 (DIR) Post #AHgyJQLr3iIjsXvcq8 by alex@gleasonator.com
       2022-03-23T03:42:07.316956Z
       
       0 likes, 0 repeats
       
       All I want to know is if anyone brought my name up at all during that conversation, or if they “independently” solved the problem.
       
 (DIR) Post #AHgycwmGiwOHwrao08 by RustyCrab@kiwifarms.cc
       2022-03-23T03:45:37.460937Z
       
       1 likes, 0 repeats
       
       @rob @alex thank you that pretty much explains it. From experience in other areas I&#39;m guessing somebody got lazy with SQL parameters as a &quot;quick hack&quot; and then forgot to fix it
       
 (DIR) Post #AHgyeQ971BjZK3ypk0 by CyberShell@nicecrew.digital
       2022-03-23T03:45:58.316261Z
       
       1 likes, 0 repeats
       
       Not sanitizing SQL user input will do that. I learned that last semester, and more this year.
       
 (DIR) Post #AHgyl7wl5522uDOqEy by rob@nicecrew.digital
       2022-03-23T03:47:11.098484Z
       
       1 likes, 0 repeats
       
       The developer was still incredibly new to Ruby/Rails and didn’t realize there is “a way” to do SQL parameters, correct. Exactly raw input was string-substituted into a query, and you understand what a semicolon can do at that point.
       
 (DIR) Post #AHgytL8Nvxls7fkoWu by RustyCrab@kiwifarms.cc
       2022-03-23T03:48:39.459093Z
       
       0 likes, 0 repeats
       
       @rob @alex faaantastic
       
 (DIR) Post #AHgz5S9PfjpBML0jtg by deprecated_ii@poa.st
       2022-03-23T03:50:50.895588Z
       
       2 likes, 0 repeats
       
       @RustyCrab @rob @alex handling SQL correctly feels more natural than doing it wrong to me, like it&#39;s not a bother, so these errors always amuse me a bit
       
 (DIR) Post #AHgzAo61VWNirxyihs by RustyCrab@kiwifarms.cc
       2022-03-23T03:51:49.081532Z
       
       2 likes, 0 repeats
       
       @deprecated_ii @alex @rob it would feel natural if you&#39;re used to formatting C strings
       
 (DIR) Post #AHh8l5QtQWjIeO796W by rob@nicecrew.digital
       2022-03-23T05:39:13.329766Z
       
       1 likes, 0 repeats
       
       I wasn’t involved in the majority of the discussions during the hack. Honestly can’t say whether your name came up, I simply wasn’t involved in things they were doing to mitigate this situation.I just know how it happened because, same as anyone else who looked at the time, it was on their public GitLab as a commit where people could see that an exploitable query was running in production.As for how they eventually decided to nuke the OAuth2 token table, I just don’t know. Like you, I just know that it’s a step they took as part of the mitigation and repairs.
       
 (DIR) Post #AHioucLinsesZvsmPo by oneway@oneway.masto.host
       2022-03-24T01:06:15Z
       
       0 likes, 0 repeats
       
       @alex @rob You just can&#39;t stop can you?  Cuck is a lifestyle.  Why would you help those retards?  Why would care if some fat jewish con artist remembers you?