Erb3 Erb3

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

SwitchCraft 3 introduction for new players

SC3 is a minecraft server built around computercraft. Apart from CC:Tweaked, Plethora, and a few homebrewed mods, there is not much else in the modpack. This gives the game a very vanilla+ feel which manages to have a rather extended endgame due to progression not being the main focus. You probably joined for the computercraft mod, and this tutorial will get to it eventually, but first let me introduce you to all (most) of the new items from all of the mods:

Computers

Computers: Blocks that execute arbitrary Lua code.

TL;DR

I found 1 browser, 1 language, and 15 vulnerabilities in { Web Framework, HTTP Client library, Email library / Web Service, etc }
All the vulnerabilities I found were found from a single perspective (I investigated maybe 50-80 products).
The RFC description of the problem (rather confusingly) describes the requirements for this problem, while the WHATWG > HTML Spec is well documented.
The problem is clearly targeted at the Content-Disposition fields filename and filename*.
This problem affects HTTP Request/Response/Email in different ways.
- HTTP Request : request tampering (especially with file contents, tainting of other fields, etc.)
- HTTP Response : Reflect File Download vulnerability

Email : Attachment tampering (e.g., extension and filename tampering and potential file content tampering)

On Writing a ComputerCraft OS

One of the most common projects I've seen for ComputerCraft is to write an operating system. People look at the limited command-line interface that CraftOS provides, and think, "I want this to work like my normal computer does!" Time and time again, a new post pops up on the ComputerCraft forums or Discord either announcing an OS, or asking for help with an OS, or releasing an OS. Usually, there are some very obvious flaws in these "OS"es, ranging from poor design choices, to overstating what they are and underdelivering. There are many common misunderstandings and undersights that newbie developers run into when writing an operating system, and these end up creating mediocre products at best.

A Critical Distinction

The term "OS" is thrown around a lot, and in my opinion it's very overused. According to [Wikipedia]: "An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs." However, m

	---This is a library to handle mass 16 color printing in ComputerCraft.

	-- This requires abstractInvLib https://gist.github.com/MasonGulu/57ef0f52a93304a17a9eaea21f431de6

	-- Copyright 2023 Mason Gulu
	-- Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
	-- The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
	-- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS

	--- Inventory Abstraction Library
	-- Inventory Peripheral API compatible library that caches the contents of chests, and allows for very fast transfers of items between AbstractInventory objects.
	-- Transfers can occur from slot to slot, or by item name and nbt data.
	-- This can also transfer to / from normal inventories, just pass in the peripheral name.
	-- Use {optimal=false} to transfer to / from non-inventory peripherals.

	-- Now you can wrap arbritrary slot ranges
	-- To do so, rather than passing in the inventory name when constructing (or adding/removing inventories)
	-- you simply pass in a table of the following format
	-- {name: string, minSlot: integer?, maxSlot: integer?, slots: integer[]?}

	-- dbprotect.lua - Protect your functions from the debug library
	-- By JackMacWindows
	-- Licensed under CC0, though I'd appreciate it if this notice was left in place.

	-- Simply run this file in some fashion, then call `debug.protect` to protect a function.
	-- It takes the function as the first argument, as well as a list of functions
	-- that are still allowed to access the function's properties.
	-- Once protected, access to the function's environment, locals, and upvalues is
	-- blocked from all Lua functions. A function can not be unprotected without
	-- restarting the Lua state.