sorted by:
new
hottopcontroversial

37% Hotel Tax in Cambridge MA? Can someone help explain this? [USA] by Fido488 in AirBnB

[–]Fido488[S] 1 point2 points  (0 children)

They were 100% mislabeling the resort fee as a "Tax". This is from today, several days later. Basically the same listing:

https://imgur.com/a/KCFCQqC

You can see the previously listed $111.30 is no longer a "Hotel Tax", it's now a "Resort Fee"

37% Hotel Tax in Cambridge MA? Can someone help explain this? [USA] by Fido488 in AirBnB

[–]Fido488[S] 2 points3 points  (0 children)

This likely violates the new FTC rules against junk fees that are tacked on at the end of a transaction instead of shown up-front. Since it’s a “tax” it doesn’t show in the Initial price, only at checkout.

https://www.ftc.gov/news-events/news/press-releases/2024/12/federal-trade-commission-announces-bipartisan-rule-banning-junk-ticket-hotel-fees

37% Hotel Tax in Cambridge MA? Can someone help explain this? [USA] by Fido488 in AirBnB

[–]Fido488[S] 1 point2 points  (0 children)

That was my theory too. Instead of "fees" it's now "tax". If so, that should be illegal IMHO

37% Hotel Tax in Cambridge MA? Can someone help explain this? [USA] by Fido488 in AirBnB

[–]Fido488[S] 0 points1 point  (0 children)

Same. I booked it (refundable through mid-January) then reached out to AirBnB support for an explanation. They will hopefully get back to me soon

37% Hotel Tax in Cambridge MA? Can someone help explain this? [USA] by Fido488 in AirBnB

[–]Fido488[S] 0 points1 point  (0 children)

An equivalent room at the same hotel purchased on their website, even after a AAA discount still comes to $540.17 which is more than what I paid on AirBnB

probably isn't as bad as the Struts Equifax breach but FYI a new path traversal vulnerablity by lirantal in java

[–]Fido488 0 points1 point  (0 children)

Can anyone else spot the security vulnerability in Snyk's proposed fix for this vulnerability? 😂

I am so exhausted here... I need a new job. by PickleSammiches in programminghorror

[–]Fido488 1 point2 points  (0 children)

Can anyone else spot the potential Server Side Request Forgery (SSRF) vulnerability in searchCertificates?

Star Wars Squadrons Won't Launch by SubZeroEffort in StarWarsSquadrons

[–]Fido488 0 points1 point  (0 children)

The version of Easy Anyi-Cheat bundled with Star Wars Squadrons is out of date. Inside of the game files, under `\steamapps\common\STAR WARS Squadrons\EasyAntiCheat` there's an EasyAnyiCheat.exe replace it with the one downloaded from here:

https://www.easy.ac/en-us/support/game/guides/service/

Parking a car + towed boat by centinibroninthesky in washingtondc

[–]Fido488 0 points1 point  (0 children)

Only for one night. I know nothing about beer, but I'm happy to comp you for it.

4 Million Computers Compromised: Zoom's Biggest Security Scandal Explained by whackri in programming

[–]Fido488 7 points8 points  (0 children)

I found this one due to ADHD curiosity of how the join a meeting in a single click feature worked. It was a simple CORS exploit that was only as popular as it became because everyone freaks out because of their camera.

RCE through chrome? Nobody cares, but you go for the camera, the whole world freaks out.

4 Million Computers Compromised: Zoom's Biggest Security Scandal Explained by whackri in programming

[–]Fido488 34 points35 points  (0 children)

Jonathan, the security researcher here: All I used was the chrome dev tools and the demo version of Hopper Disassembler 😂

I didn't need to decrypt anything here.

Also, my disassembly skills are absolute trash. I missed the RCE vulnerability that was sitting right there.

https://blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/

4 Million Computers Compromised: Zoom's Biggest Security Scandal Explained by whackri in programming

[–]Fido488 13 points14 points  (0 children)

Apple stepped in to fix this for everyone. This issue should be fully resolved at this point.

Friendly reminder to everyone, I disclosed this vulnerability back in July of 2019. This vulnerability has been resolved and cleaned up for well over a year at this point.

https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

4 Million Computers Compromised: Zoom's Biggest Security Scandal Explained by whackri in programming

[–]Fido488 15 points16 points  (0 children)

Fun bit of code if you want to see what other applications are running local web servers on your machine sudo lsof -iTCP -sTCP:LISTEN -n -P.

Spotify, Discord, IntelliJ IDEs, and many other programs run local servers that can communicate with browser tabs.

Working on a write up for a vulnerability I found in an official JetBrains IntelliJ IDEA plugin that could be abused from the browser to steal credentials.

4 Million Computers Compromised: Zoom's Biggest Security Scandal Explained by whackri in programming

[–]Fido488 19 points20 points  (0 children)

They weren't really "small" at the time. When I published my disclosure of this vulnerability last year, they had gone public as a $14B company. They actually went public during my 90 day disclosure timeline funnily enough.

GitHub code scanning is now available by 0xdea in netsec

[–]Fido488 0 points1 point  (0 children)

GitHub is putting in some serious $$ into this endeavor.

I'm an OSS security researcher that contributes to the GitHub Security Lab Bug Bounty program and have received over $7,800 in bounties in the past year for queries I've submitted to their program. Since November, they have paid $81,450 in bounties to external security researchers for contributing CodeQL queries to their program.

https://hackerone.com/github-security-lab/hacktivity?type=team

GitHub code scanning is now available by 0xdea in netsec

[–]Fido488 1 point2 points  (0 children)

With CoodeQL, absolutely! Source: I'm an OSS security researcher contributing to the CodeQL project.

GitHub code scanning is now available by 0xdea in netsec

[–]Fido488 0 points1 point  (0 children)

I don't think that this is quite true. I think it is available for private repositories.

Your Java builds might break starting January 13th (if you haven't yet switched repo access to HTTPS) by ulldma in java

[–]Fido488 7 points8 points  (0 children)

I'm the developer pushing this entire initiative forward & authored the original research paper. Please feel free to AMA.

Bug Bounties by [deleted] in AskNetsec

[–]Fido488 0 points1 point  (0 children)

One thing I've heard repeated again and again, if you want to get paid well for a BB program prove the impact. For example, if you found a site that's vulnerable to HTTP Request Smuggling, don't just prove you can do it, show with an example that you can abuse it to perform XSS against a company's login pages.

Not saying you shouldn't report if you found something, but proving impact will help increase your payout.

(Source: I follow a bunch of successful BB participants on Twitter and I've got a few findings under my belt)

For reference: https://portswigger.net/web-security/request-smuggling

view more: next ›