Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Meta's Facebook Messenger can use end-to-end encryption. In particular, you can select a friend and decide to start a conversation with them. Because the chat is encrypted, everything must be verified on the client-side. This creates a pretty large attack surface that the author of this post looked into.

The author was playing around with Android and sending attachments to a user on a Windows computer with encrypted chat. The author tried a trick as old as security itself: path traversal. They added some ../ to the path to see what would happen. If a victim can receive messages from you then you can add a file into any location on their Windows machine!

This has two crucial limitations: files cannot be overwritten and there's a character limit of 256 symbols because of the Windows FS limit. The path that the file name is appended to has a 212 symbols, giving us 44 available to work with. To get to the main C drive with a traversal, we only have 12 characters left. What to do?

Slack and Viber are very small names. So, the author decided to try to exploit these directories. By using DLL hijacking, they were able to add a DLL that those programs would execute. Naturally, this led to RCE on the victim devices.

Initially, they received a payout of 35K. They linked to a bug bounty page about payouts and claimed that the information provided was insufficient. After doing that, they were aware of another 75K. It's essential to push back on your payouts!