Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Mattermost is a self-hosted Slack alternative for communication. This is the protect in test for the HackerOne report.

Mattermost has a conversion feature for permissions in channels. If a channel is private but moved to public, any user can join the channel and post comments on it. Whether or not a member can post a comment or not is a permission as well.

The permission for removing the ability to comment on a public channel does not work properly. This allows anyone to speak on the channel, even though they are explicitly denied from doing so.

Complex permissions environments commonly have weird edge cases. This is one of those times. From the H1 report, I am unsure if the bug is caused from the transition state or not. Regardless, still a bug!