[RSS] Worst Clock Ever Teaches You QR Codes

https://hackaday.com/2025/09/18/worst-clock-ever-teaches-you-qr-codes/

The more and more old servers I see close, the more intolerable it is that Mastodon still doesn't offer a way to migrate data like posts to new accounts. A user's post history is valuable, and it's more valuable the older the account is. Users *should* have the option to migrate those to a new server!

[RSS] exploits.club Weekly Newsletter 86 - KSMBD 0Clicks, Apple Ends Memory Corruption, Mini-Kernels in Zig, And More

https://blog.exploits.club/exploits-club-weekly-newsletter-86-ksmbd-0clicks-apple-ends-memory-corruption-mini-kernels-in-zig-and-more/

@adamshostack where are you seeing reference to symmetric keys?

In the Technical Details section on Actor Tokens, it says “These hybrid setups used to provision a certificate credential on the Exchange Online Service Principal (SP) in the tenant, with which it can perform authentication.” . Adversary would then use the (x509) cert (and private key) to authN to eSTS (the Entra IdP), get one of these wacky “Actor Tokens” that AAD Graph doesn’t validate properly.

eSTS does support both x509 and client secrets for an SP to authN, but client secrets are just CSPRNG-generated passwords. They’re bearer tokens, not symmetric AES or RC4 keys.

I’d argue the causes were the ad-hoc “Actor Tokens” for impersonation (wrapping in an unsigned JWT: what the heck?), and that AAD Graph still hasn’t been shut down. It’s been deprecated since before I joined MS Identity in 2020, and has been a steady source of vulns

On the 26th of September I will also be streaming a birthday demoparty from London, I heavily encourage everyone to send entries!

https://limelight.party

kernel hackers go serverless
ring0 → cloud 9 ☁️ ??
brb pwning yr gpu nodes ✨

Holy moly. The DOJ just unveiled their charges against Jubair, alleging he was involved in 120 intrusions and extortion against 47 US entities. The complaint alleges victims paid at least $115 million in ransom payments. At a hearing today in the UK, it emerged that Jubair had access to $200 million in crypto, and Flowers $7M

https://www.justice.gov/opa/pr/united-kingdom-national-charged-connection-multiple-cyber-attacks-including-critical

[RSS] Beyond Sandbox Domains: Rendering Untrusted Web Content with SafeContentFrame

https://bughunters.google.com/blog/6715529872080896/beyond-sandbox-domains-rendering-untrusted-web-content-with-safecontentframe

“Rowhammer Attacks on DDR5 ::: PTE Exploit Demo” https://www.youtube.com/watch?v=1emxVQ6__qg

[RSS] R.E.L.I.V.E. -- open-source re-implementation of Oddworld: Abe's Exoddus and Oddworld: Abe's Oddysee

https://aliveteam.github.io/

I'm only now figuring out that today's npm attack is distinct from yesterday's npm attack.

Checking on the website of our local #library and found that there is a dedicated status for orders where "all instances of the document *disappeared* and the librarian sees no good chance that they will be found in the foreseeable future".

I mean, you had one job!

Edit: can't wait for my bank to introduce the "sorry bro, we blew that money on coke" status :D

@snow I saw this just yesterday: https://en.wikipedia.org/wiki/Friendship_paradox

One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens

https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/

"I found the most impactful Entra ID vulnerability that I will probably ever find. This vulnerability could have allowed me to compromise every Entra ID tenant in the world"

Who could have figured out that automatically downloading half the internet and ten thousand always-changing dependencies every time you build could actually be a weakness?

Took me way too long due to scope creep, but: The Hacker Webring is now up!

Members vote for other users. Given enough users, the whole system should work by itself, without administrative intervention.

It’s still somewhat rough around the edges, but functional!

(ctx: https://donotsta.re/notice/Ay1hgCk7m1VgAkUmIq )

DOMPurify 3.2.7 has been released today, adding several fixes and improvements.

https://github.com/cure53/DOMPurify/releases/tag/3.2.7

Thanks to all folks who contributed 💕

added a cheat sheet to the official Git website

(with a lot of help from other folks who work on the website)

https://git-scm.com/cheat-sheet

Super skilled developers working at ASUS

https://github.com/Zephkek/Asus-ROG-Aml-Deep-Dive

Drew DeVault writes:

“Perhaps Google and Mozilla, leaders in JavaScript standards and implementations, will start developing a real standard library for JavaScript, which makes micro-dependencies like left-pad a thing of the past.”

There is an interesting logic flaw here. There is in fact String.prototype.padStart built into JavaScript, it has been available for at least eight years. How often did you see that used in production code? Me, having reviewed lots of codebases over the past years – almost never. Meanwhile the cumulative downloads for various string padding libraries on NPM still go into millions per week. It’s not even that many software projects directly depending on them, but way too many projects having complicated dependencies that in some corner of their wide dependency tree aren’t too up to date with these “newfangled” language features.

And if something else is an indicator: I still regularly see jQuery being used in new projects, decades after it became obsolete thanks to browsers improving. No amount of pointing out how harmful it is to sane development patterns helped here.

So I’m not sure that I can see Drew DeVault’s proposed solution to the dependency hell succeeding even if we could get the industry behind it. The inertia behind JavaScript is enormous, and in many areas the usage barely moved beyond JavaScript 1.5. Yet most projects today use a whole array of linters and build tools to aid development, and these are really complicated beasts. Maybe it’s possible to shrink their dependency trees a bit but the complexity isn’t going away.

Maybe the real question is: why does my build process have the potential to compromise my system unless I do some crazy hacks that no sane person would normally bother with? The build result will typically run in some kind of sandbox with very limited damage potential, why doesn’t the build process?