Skip to content

Instantly share code, notes, and snippets.

View gabemeola's full-sized avatar
🐛

Gabe gabemeola

🐛
45 followers · 86 following
View GitHub Profile
@hackermondev
hackermondev / research.md
Last active May 1, 2025 13:13
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

@hackermondev
hackermondev / zendesk.md
Last active April 29, 2025 08:18
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

@lukeed
lukeed / cron-human.ts
Last active May 7, 2023 18:53
cron syntax & human readable output — https://t.co/CBThaezwzC
// https://crontab.guru/
// https://www.typescriptlang.org/play?ts=4.9.5#code/C4TwDgpgBAwgSgeQHJQLxQAYBIDe9kB0AogB5gBOEAzlQJYD2AdgL5S75LFmU0Mtt5EnUhWp0mrdkK6jeEgRxk9xLDAG4AUAHotUPVAB6Afg0bQkKABVqwAIxpY0gBIBXALYBDRgB4ARAGYABigATigAKgiI3wA+TR19QxMzcGhrKmAAJgdFV08fX0iwyJLY+N19Y1NzNJt-HOd3Lz9wrXriqPCy7Qq9KpSLdOAAFgbCPObCtoitUZLouJ7E-pqrGwBWMc4Jgtb6+dLFhMrk1aGANi2CHZaZ-c7u477T1LWMgHYrm99bTdbsg6PXpJaqvIYADi+TV2UXuXSOwJWYJsYXQuWhtxK00O5WWL0GNlswTRjXymKg+y0AKBeNBBIytnsJPGGMKsJm2WGNJOdNqDOyzO2rOCmUpAOxs25z15bzs9UF11ZYVFHLuUC5CNpAz5dlGCu+rV+M0ukX2UpB2tlRv1rIOFIWuJ5SwAtK6AMYuYCu52mAAmEDdABsPJQoIwPG5qGAPG7oBwoDgNHoIGR6ORgFBViJlHwHABycJ5qAAHzD7gARhByCXMK1cIwK1XmOpTMnU+nM68bpYoCngBBGL6qI5kDEHEnElZeyR+4Ph9gcLRGAAzKtQACykkXK7XTi3S9X1YAIpuBAe1+vT7hz8eAOrNieTqBGKy0SPeJwAGnXY77A6HmDXju1Y9n+c5QBk5BLgA5g+T6JC+R4eCA3iXp+UAnuhR63r+M7-vOQGHhh06zgBkEwXB8EIcRYEAb4vhQI+VH6C+lhMcxUAAFyATglisEwAhHpRHHcYwEAAG5Vuxk6iRJUlUbJknkJoE4JN6jETmcb4QB+9AuOQ6HrkunoQGO6BMUZDb9iR+FQAWRbSS+Th6dWtHDvZegvnmcnkCAUBuMZ-ZFgk8wAPpQOFoXSdxzn6TZ4ELjeUBOPFAENm4
@gabrielsson
gabrielsson / minecraft-on-raspberry-pi.md
Last active February 10, 2025 08:26
Minecraft on Raspberry Pi cluster with metrics

alt

Minecraft on Raspberry Pi cluster with metrics

Ever wanted to put your Rapsberry Pi cluster to great use? Our team is working remotely, so we started to play Minecraft. I decided I would host the Minecraft server on my Raspberry Pi cluster. This gist will guide you through the steps I took to get a k3s cluster up with k3sup and later installed Minecraft as well as metrics exporter and Prometheus Operator

Why?

Quoniam Possumus - Because we can

You'll need

@sebmarkbage
sebmarkbage / Infrastructure.js
Last active February 26, 2025 13:57
SynchronousAsync.js
let cache = new Map();
let pending = new Map();
function fetchTextSync(url) {
if (cache.has(url)) {
return cache.get(url);
}
if (pending.has(url)) {
throw pending.get(url);
}
@gabemeola
gabemeola / fsStreamToPromise.js
Last active April 5, 2019 22:15
Returns an awaitable promise from a stream
import fs from 'fs';
/**
* Returns a Promise from createReadStream pipe.
* Resolves Promise when end of data event fires.
* Rejects Promise when error occurs in stream.
*
* @param {String} filePath - File Path to create readable stream from
* @param {Stream} writableStream - Writable Stream to write to
@WaldoJeffers
WaldoJeffers / compose.js
Last active January 3, 2024 16:47
JavaScript one-line compose (ES6)
const compose = (...fns) => fns.reduce((f, g) => (...args) => f(g(...args)))
// Usage : compose functions right to left
// compose(minus8, add10, multiply10)(4) === 42
//
// The resulting function can accept as many arguments as the first function does
// compose(add2, multiply)(4, 10) === 42
@spion
spion / translate-error.js
Last active March 21, 2025 11:42
function translateError(msg) {
var newErr = new Error(msg); // placed here to get correct stack
return e => {
newErr.originalError = e;
throw newErr;
}
}
async function asyncTask() {
const user = await UserModel.findById(1).catch(translateError('No user found'))
@Rich-Harris
Rich-Harris / footgun.md
Last active March 9, 2025 06:13
Top-level `await` is a footgun

Edit — February 2019

This gist had a far larger impact than I imagined it would, and apparently people are still finding it, so a quick update:

  • TC39 is currently moving forward with a slightly different version of TLA, referred to as 'variant B', in which a module with TLA doesn't block sibling execution. This vastly reduces the danger of parallelizable work happening in serial and thereby delaying startup, which was the concern that motivated me to write this gist
  • In the wild, we're seeing (async main(){...}()) as a substitute for TLA. This completely eliminates the blocking problem (yay!) but it's less powerful, and harder to statically analyse (boo). In other words the lack of TLA is causing real problems
  • Therefore, a version of TLA that solves the original issue is a valuable addition to the language, and I'm in full support of the current proposal, which you can read here.

I'll leave the rest of this document unedited, for archaeological

@Leask
Leask / PurgeParallelsAccess.sh
Created September 5, 2016 08:27
Find and remove existing installations of Parallels Access
#!/usr/bin/env bash
#
# Find and remove existing installations of Parallels Access
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
RootCheck () {
if [ $(id -u) != "0" ]
then
sudo -p "This script requires administrative privileges. Please enter your password: " "$0" "$@"