Rendered at 14:14:33 GMT+0000 (Coordinated Universal Time) with Netlify.
Rauchg 13 hours ago [-]
R2S was a painful one, but Lachlan was a dream of a security researcher to partner with. Not just from a responsible disclosure POV, but things like hopping on multiple calls with Meta and our team to help us validate remediations. Thank you Lachlan for helping make the internet safer (and great job on figuring out this 'labyrinth' of a vulnerability)
owebmaster 3 hours ago [-]
You ruined React.
But it was quite profitable for you.
halflife 3 hours ago [-]
React was ruined from the moment they abandoned class components and introduced hooks. Vercel is just continuing the trend of hype against common sense.
littlecranky67 11 minutes ago [-]
You are probably a Javascript dev, not doing typescript? Classes were horrible to type for, especially when you tried higher-order components. Hooks removed so much clutter and friction and allows pretty well-typed components and higher order functions (i.e. hooks that return components).
ervine 2 hours ago [-]
I just don't understand this take, every time I hear it I wonder if people just haven't spent the time to adjust their mental model.
Hooks are IMO the best thing that happened to react.
pjmlp 39 minutes ago [-]
I have spent more time than I wished for on React debugging tools, and useXXXX spaghetti calls.
pjmlp 41 minutes ago [-]
Spot on, incredible how OOP hate can mess up a framework.
Vercel, the only thing they have going for the app model mess, are the partnerships with SaaS vendors that make them the must go tooling.
However this will eventually come to an end.
nkrisc 23 minutes ago [-]
I wish this site respected prefers-reduced-motion. The dots on the background give me motion sickness while trying to read. Thank goodness for Firefox reader mode.
Boy I loved this write up, and really loved Sylvie’s, which gives a peek into the economic side of this white hat hacking — prepping, safety, wondering who you trust, preparing to claim as many bug bounties as possible.
I was struck by the very sensible economic filter: “who is vulnerable that has a bug bounty program?” Incredibly good reminder that you should have a bug bounty program; otherwise, nobody might call you. Until, you know, you’ve been compromised.
NewLogic 2 hours ago [-]
I'm still yet to be convinced React Server Components are anything but a disaster to the developer experience. Mixing backend and frontend without a clear boundary is terrible for any codebase beyond a handful of contributors.
pjmlp 38 minutes ago [-]
But it is so cool!
I really don't understand why people complain about Spring or ASP.NET annotations, and then go running to Next.js with its useXXX and import magic.
sam1r 12 hours ago [-]
>> Amazingly, despite being a weekend, the Meta team triaged, reproduced, and confirmed my submission in around 17 hours.
Incredible. Realize what you have done from start to finish (with confirmation) in < 24 hours.
keyle 13 hours ago [-]
Nice read!
I love the "we are so back" vs. "it's so over" graph. Defines so much of this type of work. "Wow? ... nah... WOW?! ... nah..."
mnahkies 7 hours ago [-]
I was really surprised when this hit, and I discovered the protocol was essentially undocumented / unspecified. I was trying to find indicators of compromise and that was made more difficult by the lack of documentation.
It was really helpful that they had coordinated with WAF providers like cloud flare ahead of disclosure to put rules in place though.
simonreiff 13 hours ago [-]
What a great write-up. Thanks for sharing how you found this fascinating vulnerability and exploit.
phyzome 12 hours ago [-]
Haha, nice.
One correction: The link in "To be honest, I'm not even sure if I understand it, but it's on my GitHub." goes to the wrong file (01 instead of 00).
halflife 7 hours ago [-]
Whoda thunkit that
- blurring the lines between client code and server code
- creating a brand new protocol for communication between trusted and untrusted actors
- and with all of that allow the protocol to serialize code and not just primitives
Would be a tremendously stupid idea. And for what? To lock developers further into the react ecosystem. What a shitshow react continues to be.
owebmaster 1 hours ago [-]
> And for what? To lock developers further into the react ecosystem.
It was a clear bait and switch scam, that is still going on.
mexicocitinluez 2 hours ago [-]
Side note: A few weeks ago I started to see floaters in my eyes and the background for your site is making my brain go haywire. Also a tad bit distracting while trying to read the article.
But it was quite profitable for you.
Hooks are IMO the best thing that happened to react.
Vercel, the only thing they have going for the app model mess, are the partnerships with SaaS vendors that make them the must go tooling.
However this will eventually come to an end.
I was struck by the very sensible economic filter: “who is vulnerable that has a bug bounty program?” Incredibly good reminder that you should have a bug bounty program; otherwise, nobody might call you. Until, you know, you’ve been compromised.
I really don't understand why people complain about Spring or ASP.NET annotations, and then go running to Next.js with its useXXX and import magic.
Incredible. Realize what you have done from start to finish (with confirmation) in < 24 hours.
I love the "we are so back" vs. "it's so over" graph. Defines so much of this type of work. "Wow? ... nah... WOW?! ... nah..."
It was really helpful that they had coordinated with WAF providers like cloud flare ahead of disclosure to put rules in place though.
One correction: The link in "To be honest, I'm not even sure if I understand it, but it's on my GitHub." goes to the wrong file (01 instead of 00).
- blurring the lines between client code and server code
- creating a brand new protocol for communication between trusted and untrusted actors
- and with all of that allow the protocol to serialize code and not just primitives
Would be a tremendously stupid idea. And for what? To lock developers further into the react ecosystem. What a shitshow react continues to be.
It was a clear bait and switch scam, that is still going on.
Really cool article btw.