Royce Williams roycewilliams

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

🖥️ See Demo

3.5 fps, Paperwhite 3
@adtac_

step 1: jailbreak your Kindle

mobileread.com is your best resource here, follow the instructions from the LanguageBreak thread

I didn't really follow the LanguageBreak instructions because I didn't care about most of the features + I was curious to do it myself, but the LanguageBreak github repo was invaluable for debugging

How to keep using adblockers on chrome and chromium

google's manifest v3 has no analouge to the webRequestBlocking API, which is neccesary for (effective) adblockers to work
starting in chrome version 127, the transition to mv3 will start cutting off the use of mv2 extensions alltogether
this will inevitably piss of enterprises when their extensions don't work, so the ExtensionManifestV2Availability key was added and will presumably stay forever after enterprises complain enough

You can use this as a regular user, which will let you keep your mv2 extensions even after they're supposed to stop working

Linux

In a terminal, run:

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

	"""
	a write-ahead-log with undo and redo

	undo and redo can be implemented atop list of actions, where
	each new action adds onto the list, and undo removes it from
	the list, and updates the predecessor with the new redo option,
	and redo does the opposite process

	say we have some history:

	ossec-win32 used by Storm-0501
	https://www.ossec.net/about/

	OSQuery used by Storm-0501
	https://www.osquery.io/

	GitGuardian used by Scattered Spider*
	https://www.gitguardian.com/

	MAGNET RAM Capture used by Scattered Spider*

	0810 b' from '
	0678 b' ssh2'
	00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
	0708 b'%s'
	0108 b'/usr/sbin/sshd\x00'
	0870 b'Accepted password for '
	01a0 b'Accepted publickey for '
	0c40 b'BN_bin2bn\x00'
	06d0 b'BN_bn2bin\x00'
	0958 b'BN_dup\x00'


	const NEW_CHARMAP = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20!\"#$%&'{([])}*+-.\\/0123456789:;,<=>?@EeAaUuOoIiFfGgHhJjLl\|WwMmNnBbDdTtPpQqRrKkCcSsZzVvXxYy^_`~";
	function get_new_char_code(old_char_code){
	return NEW_CHARMAP.indexOf(String.fromCharCode(old_char_code));
	}
	function get_old_char_code(new_char_code){
	return NEW_CHARMAP.charCodeAt(new_char_code);
	}

	RSA Private-Key: (6969 bit, 69 primes)
	modulus:
	01:01:a2:9e:47:bc:24:44:b8:5a:6d:ee:28:5a:e0:
	66:13:46:f1:b6:33:54:91:86:c2:91:1c:5e:b9:4a:
	7b:0f:b8:24:86:a1:66:5a:fd:0e:59:a1:bf:e8:8f:
	7a:50:29:47:d5:6e:03:c4:50:1d:ac:38:7d:c3:30:
	9a:5e:07:b8:1c:21:d8:c7:d1:91:b2:59:da:0d:66:
	9d:99:12:51:9d:e4:04:f4:3b:30:b4:b9:96:91:4b:
	4c:6f:73:e5:09:86:ee:d2:fa:5f:a1:98:0b:ba:05:
	6e:ab:4d:c9:29:a8:b7:eb:06:84:f2:c4:46:a9:cd: