staying over at a friend's place and i see this, this is good right?

this is almost a relief i can't lie, i've lost so much sleep this past week going for these

my teammates gonna make me take a break from playing vercelctf this weekend to play seccon instead and i think thats kinda messed up honestly

ok turns out a girl can in fact :3 four days spent on that lmfao

can a girl get one teensy little prototype pollution gadget as a treat or is that too much to ask for

in trying to break vercel's firewall ive discovered a whole bunch of things that seem like Problems™ in their own right that make me somewhat hesitant to trust the security anything else going on here

y'all're gonna be disappointed when next week rolls around and i go back to never saying anything other than the occasional reply to a friend's tweet

https://t.co/SDHRf2RekA

another silly takeaway i got from all of this is that despite not being a frontend dev and generally being a proponent of just coping with raw html/js, ive learned that NextJS is actually pretty fun and easy to work with all things considered

my 39c3 trip is gonna be so silly now

vercel's WAF seems very effective at one thing at least, and that's keeping me up until 6am

i think one of the funniest outcomes of this whole thing is that ive developed something of a sixth sense for knowing if something is a NextJS/Vercel app before even checking devtools

do u guys think he knows about the cve

i interacted with too many security slop posters and now my timeline is full of bug bounty skids instead of silly gay people this is so heartbreaking 💔

you can see the 02-meow-rce-poc file here matches the hash i posted last week

This is streamingly exciting https://t.co/hD3e8tDTgb

to be clear, this bug belongs to Lachlan, and for the time being the level of credit currently given to me on https://t.co/AgbXeD3ujX is roughly accurate. we both plan to make detailed blog posts about this at some point in the future.

while Lachlan began working with Meta and Vercel to get it patched, i began doing reconnaissance to identify vulnerable websites so that we could alert everyone who needed to be alerted immediately after the initial advisory went out.

i feel i should mention that the initial full RCE PoC had 20+ gadgets, while the one Lachlan submitted to Meta and the ones floating around the internet right now only have like 3.

we realized the significance of this immediately, and after discussing it we agreed that the bug was his and the PoC was his. Lachlan spent well over 100 hours working on this, to my ~36.