R2S was a painful one, but Lachlan was a dream of a security researcher to partner with. Not just from a responsible disclosure POV, but things like hopping on multiple calls with Meta and our team to help us validate remediations. Thank you Lachlan for helping make the internet safer (and great job on figuring out this 'labyrinth' of a vulnerability)
owebmaster 1 hours ago [-]
You ruined React.
But it was quite profitable for you.
halflife 56 minutes ago [-]
React was ruined from the moment they abandoned class components and introduced hooks. Vercel is just continuing the trend of hype against common sense.
I was really surprised when this hit, and I discovered the protocol was essentially undocumented / unspecified. I was trying to find indicators of compromise and that was made more difficult by the lack of documentation.
It was really helpful that they had coordinated with WAF providers like cloud flare ahead of disclosure to put rules in place though.
sam1r 10 hours ago [-]
>> Amazingly, despite being a weekend, the Meta team triaged, reproduced, and confirmed my submission in around 17 hours.
Incredible. Realize what you have done from start to finish (with confirmation) in < 24 hours.
keyle 11 hours ago [-]
Nice read!
I love the "we are so back" vs. "it's so over" graph. Defines so much of this type of work. "Wow? ... nah... WOW?! ... nah..."
mexicocitinluez 22 minutes ago [-]
Side note: A few weeks ago I started to see floaters in my eyes and the background for your site is making my brain go haywire. Also a tad bit distracting while trying to read the article.
Really cool article btw.
halflife 4 hours ago [-]
Whoda thunkit that
- blurring the lines between client code and server code
- creating a brand new protocol for communication between trusted and untrusted actors
- and with all of that allow the protocol to serialize code and not just primitives
Would be a tremendously stupid idea. And for what? To lock developers further into the react ecosystem. What a shitshow react continues to be.
simonreiff 10 hours ago [-]
What a great write-up. Thanks for sharing how you found this fascinating vulnerability and exploit.
phyzome 9 hours ago [-]
Haha, nice.
One correction: The link in "To be honest, I'm not even sure if I understand it, but it's on my GitHub." goes to the wrong file (01 instead of 00).
But it was quite profitable for you.
It was really helpful that they had coordinated with WAF providers like cloud flare ahead of disclosure to put rules in place though.
Incredible. Realize what you have done from start to finish (with confirmation) in < 24 hours.
I love the "we are so back" vs. "it's so over" graph. Defines so much of this type of work. "Wow? ... nah... WOW?! ... nah..."
Really cool article btw.
- blurring the lines between client code and server code
- creating a brand new protocol for communication between trusted and untrusted actors
- and with all of that allow the protocol to serialize code and not just primitives
Would be a tremendously stupid idea. And for what? To lock developers further into the react ecosystem. What a shitshow react continues to be.
One correction: The link in "To be honest, I'm not even sure if I understand it, but it's on my GitHub." goes to the wrong file (01 instead of 00).