Found the talk I was looking for! (Thanks frens)
https://youtu.be/g92XUzc1OHY
API design is similar to UI design, you know? :)
Novo ciberataque “Shai-Hulud” propaga-se como um verme e compromete 187 pacotes npm
🔗 https://tugatech.com.pt/t71903-novo-ciberataque-shai-hulud-propaga-se-como-um-verme-e-compromete-187-pacotes-npm
#API #ataque #cascata #CD #CI #ciberataque #Github #google #javascript #linkedin #malware #npm #phishing #riscos #segurança #servidor #software
Cory Doctorow
boosted
🍔 Just collabed with @BobTheShoplifter on a MASSIVE SECURITY BREACH: We exposed how Restaurant Brands International (Burger King, Tim Hortons, Popeyes) left their drive-thru systems etc completely vulnerable.
🎯 What we found:
• Unauthenticated API access to ALL drive-thru locations globally
• Drive-thru voice recordings of customers accessible
• Employee PII exposed.
• Bathroom feedback systems with zero auth
• Hardcoded passwords in client-side code
The scope was insane - we could access any drive-thru system globally. Even listen to your actual drive-thru orders 👂
Credit to RBI for lightning-fast response once disclosed, but the privacy implications were staggering.
Full technical breakdown: https://bobdahacker.com/blog/rbi-hacked-drive-thrus
#InfoSec#CyberSecurity#ResponsibleDisclosure#Privacy#GDPR#API#GraphQL#SecurityResearch#VulnDisclosure#RestaurantBrands#BurgerKing#TimHortons#Popeyes #vulnerability
🍔 Just collabed with @BobTheShoplifter on a MASSIVE SECURITY BREACH: We exposed how Restaurant Brands International (Burger King, Tim Hortons, Popeyes) left their drive-thru systems etc completely vulnerable.
🎯 What we found:
• Unauthenticated API access to ALL drive-thru locations globally
• Drive-thru voice recordings of customers accessible
• Employee PII exposed.
• Bathroom feedback systems with zero auth
• Hardcoded passwords in client-side code
The scope was insane - we could access any drive-thru system globally. Even listen to your actual drive-thru orders 👂
Credit to RBI for lightning-fast response once disclosed, but the privacy implications were staggering.
Full technical breakdown: https://bobdahacker.com/blog/rbi-hacked-drive-thrus
#InfoSec#CyberSecurity#ResponsibleDisclosure#Privacy#GDPR#API#GraphQL#SecurityResearch#VulnDisclosure#RestaurantBrands#BurgerKing#TimHortons#Popeyes #vulnerability
Stefano Marinelli
boosted
We're working on a BastilleBSD API!
Built in Go for speed and portability, it opens the door to remote jail management and custom dashboards.
We're working on a BastilleBSD API!
Built in Go for speed and portability, it opens the door to remote jail management and custom dashboards.
I mean, these ain't like in the old days where a few Megabytes got you #Pidgin and other Multi-Protocol Clients of the old days where everyone had to implement bespoke, custom and incompatible and *often completely undocumented, proprietary * protocols like #ICQ, #AIM, #SIPE, etc.
- Nowadays all these do have some kind of #WebApp or Web Interface one can just login (because *none of them do proper #E2EE with #SelfCustody of all the keys!) so this should be way easier these days: All they do is do HTTP(S) GET/POST so the most critical part is to attain credentials like a #Login #cookie and to basically run a console on i.e. #Firefox to reverse-engineer the #API...
It just makes me wounder: Are modern messengers these days complicated or do the people who have the talent to write such a #MultiProtocolIM chosen that this is stupid and that like myself they'd never touch that shite in their life and make peace with it?
- And I'm not talking about specific #API limitations like #Discord uses to force people to use their garbage client, but like #WhatsAppWeb and others...
I mean, these ain't like in the old days where a few Megabytes got you #Pidgin and other Multi-Protocol Clients of the old days where everyone had to implement bespoke, custom and incompatible and *often completely undocumented, proprietary * protocols like #ICQ, #AIM, #SIPE, etc.
- Nowadays all these do have some kind of #WebApp or Web Interface one can just login (because *none of them do proper #E2EE with #SelfCustody of all the keys!) so this should be way easier these days: All they do is do HTTP(S) GET/POST so the most critical part is to attain credentials like a #Login #cookie and to basically run a console on i.e. #Firefox to reverse-engineer the #API...
Tim Chambers
boosted
#api The Podcast Index person search config files are in the search repo now:
Sphinx/Manticore config: https://github.com/Podcastindex-org/search/blob/master/sphinx-person.conf
Stopword list: https://github.com/Podcastindex-org/search/blob/master/person/stopwords.txt
#api The Podcast Index person search config files are in the search repo now:
Sphinx/Manticore config: https://github.com/Podcastindex-org/search/blob/master/sphinx-person.conf
Stopword list: https://github.com/Podcastindex-org/search/blob/master/person/stopwords.txt
Government-approved digital credentials (driver license, etc.) are becoming more commonly used online. The @w3c Digital Credentials #API enables websites to request credentials, and for users to consent to return credentials that they carry around in #DigitalWallets
▶️ https://www.w3.org/TR/digital-credentials/
#FPWD #timetogiveinput
@simone explains how this API advances #privacy-preserving Web identities: https://www.w3.org/blog/2025/w3c-digital-credentials-api-publication-the-next-step-to-privacy-preserving-identities-on-the-web/ #gdc25
Feedback welcome: https://github.com/w3c-fedid/digital-credentials/
Vibe coded yet another tool.
https://github.com/ronilaukkarinen/spotify-my-station
Tim Chambers
boosted
"In addition to the way servers communicate with each other across the Fediverse, #ActivityPub also defines a “Client-to-Server” API.
This #API is mainly designed to allow apps and clients (such as mobile apps) to publish content to a Fediverse server.
In the future, this could open up interesting possibilities for #WordPress — for example, allowing WordPress to act as a bridge or proxy, making it easier to bring in and federate content from other tools or platforms."
https://activitypub.blog/2025/06/11/our-2025-roadmap-building-the-future-of-wordpress-federation/
"In addition to the way servers communicate with each other across the Fediverse, #ActivityPub also defines a “Client-to-Server” API.
This #API is mainly designed to allow apps and clients (such as mobile apps) to publish content to a Fediverse server.
In the future, this could open up interesting possibilities for #WordPress — for example, allowing WordPress to act as a bridge or proxy, making it easier to bring in and federate content from other tools or platforms."
https://activitypub.blog/2025/06/11/our-2025-roadmap-building-the-future-of-wordpress-federation/
Found and fixed two more bugs affecting only #TLS with #swad, so here's yet another "bugfix release":
https://github.com/Zirias/swad/releases/tag/v0.9
One of these bugs was always there and I never noticed (just ignoring intermediate certificates) because many clients cope well with this, but not all.
The other bug is yet another regression from earlier performance improvements. 😞
So, lots of releases these last days. I'll have to remember to do very thorough regression testing whenever "optimizing" things in existing code 🙈
In a nutshell: 0.8 was finally fine again without TLS, but if you need TLS, better use this new 0.9.
Adding what was missing for intermediate certificates, I had great fun with #OpenSSL#API again. I mean, it never gets old. First test gave me a nice crash of #swad. Because ....
Well, to use a certificate (type X509 *), you call SSL_CTX_use_certificate(). Docs say "On success the reference counter of the x is incremented." (where x means the certificate). Great, so, call X509_free() directly afterwards to ensure this certificate gets destroyed whenever the SSL context gets destroyed.
So, just call the same function again for the intermediate certificates? No ... but there's SSL_CTX_add_extra_chain_cert() which can be used multiple times. Nice, call it in a loop as long as I find additional certificates in the cert file, and X509_free() them all directly after adding.
And then observe the crash. Well, it's documented, the manpage for SSL_CTX_add_extra_chain_cert() tells:
"The x509 certificate provided to SSL_CTX_add_extra_chain_cert() will be freed by the library when the SSL_CTX is destroyed. An application should not free the x509 object."
So, clearly my fault not reading this before. Consistency in API design is so overrated. 🤪
Just spent 6 hours trying find out and solve why my Matrix instance is showing: {"errcode":"M_NOT_FOUND","error":"Not found"} when trying to access images. I did not notice this problem before, because Matrix/Element caches images locally using blobs, but realized this after uploading images to IRC via heisenbridge.
I first thought I had messed up my S3 Object Storage. Then thought I messed up my filesystem. Then I thought I made a mistake in yaml configs. But it was none of that.
It's a while since I installed my Matrix server and completely forgot on how I set up my S3 Object Storage. It seems it is literally not documented. Like at all. Just like the half of Matrix and Synapse.
I ended up debugging literally anything and everything without any solution. After turning all stones I even asked ChatGPT and it started to run in loops in despair. Finally ended up reading synapse changelog here one bit by bit: https://element-hq.github.io/synapse/latest/upgrade.html#authenticated-media-is-now-enforced-by-default
It seems, I have upgraded in some point. And wow, in between of upgrades the whole thing has broken. I mean it runs without erros, but it's broken. No deprecated warnings in the log, no warnings in release logs. Left a comment here: https://github.com/element-hq/synapse/pull/17889#issuecomment-2564520513
My solution was to add in homeserver.yaml:
enable_authenticated_media: false
What I hate about Matrix is:
- Nothing is documented
- Nothing is explained
- Everything is complicated to set up
Each upgrade and extension is like building and tinkering for hours and hours and hoping for the best.
I don't know why I keep using Matrix. Guess I like being hurt all the time.