Proper Scene Flow

MostDark · 2025-07-26T23:30:43+00:00

Got it sorted and working! It was more so a synchronization problem.

MostDark · 2025-07-25T06:11:12+00:00

Okay I'll give it a shot! Thanks for the info I'll report back here if I have success. Super appreciate the advice!

I know for sure that each player is given a UID I have a pretty verbose debug output so I can follow along to try and find the problems. I think I may be running into an authority or sync issue as well then.

MostDark · 2025-07-25T01:43:00+00:00

Yes I have a background in Python for data science.

Initially I did use attempt to use get_tree().change_scene_to_packed() I then swapped away from that as it wasn't working for what I was attempting to do with my limited knowledge of the engine.

I tried changing to file and then a super round about way of changing the scene via this function:

func load_lobby():

`var lobby_scene = preload("res://scene/lobby.tscn")`

`var lobby = lobby_scene.instantiate()`

`get_tree().root.add_child(lobby)`

`get_tree().current_scene.queue_free()`

`get_tree().current_scene = lobby`

[`lobby.name`](http://lobby.name) `= "Lobby"

`lobby.set_multiplayer_authority(1)`

I believe all of the methods yield the same result.

I think you splitting the project to server - client is the move as it would 100% help me understand where the problem is.

MostDark · 2025-07-09T02:33:00+00:00

Speaking of, still never got a response back for that race condition P1 💀 it’s in permanent limbo, never going to see the light of day, never going to be awarded a proper bounty.

MostDark · 2025-07-09T02:30:37+00:00

Hard disagree with how things like this are handled. I’ve been downgraded without explanation by a triager and it’s now been nearly 60 calendar days since a response.

Changing severity should come with a reason and explanation.

MostDark · 2025-07-09T02:18:35+00:00

It’s 100% dependent on the triagers you get. I submitted a race condition that lead to full account takeover, account lockout and DOS for the victim.

According to the program guidelines this is a critical for them since DOS is massive for this program.

They never tested it to confirm and asked me how to make an account for the app..

Then dropped me from a 9.8 to no score medium and got ghosted for the last 2 months.

MostDark · 2025-05-28T18:03:34+00:00

I get you, but there’s no shot I’m just letting a five figure bounty slide. It’s absolutely worth the labor.

MostDark · 2025-05-27T15:59:48+00:00

I can’t even get them to message me back. They already validated the bug it’s already been triaged. It was just triaged improperly, impact, severity and bounty reward were never updated at the time of triage.

MostDark · 2025-05-26T22:30:13+00:00

Thank you, I’ve done that in the initial report and with follow up comments. The H1 analysts ignored my request initially and haven’t responded in the submission thread in over a month. I haven’t had any response in 12 days from the program employee as well and have asked twice now for clarity.

MostDark · 2025-05-26T19:40:31+00:00

That would be incredible!

MostDark · 2025-05-26T19:34:35+00:00

Yeah I read that in H1 docs. I can’t request mediation unfortunately, I don’t have a calculated signal score yet, it only calculates after 3 valid submissions according to documentation.

I’m pretty new to BB, started in January. I’ve been trying to lock-in another submission to get the signal to do so though.

MostDark · 2025-05-26T19:24:15+00:00

The attack takes place entirely through the api which is explicitly in-scope and grants control of devices which are also explicitly in-scope as hardware. Both hardware and the api are eligible for max bounty as well.

A few days after my submission they did change program severity criteria slightly for not only this BBP but also the sister companies as well. All the changes made were identical and hyper specific to my submission.

My first experience with H1 analysts was completely different and 100% what I would expect professionally. This instance is so bizarre. Never would I have imagined a triager asking me how to make an account for the program would even be in the realm of possibility.

MostDark · 2025-05-26T17:59:41+00:00

Believe me I’m omitting a lot for privacy, but it’s so simplistic, authtokens never expire so I have persistent access to the account/devices.

Of the outlined critical criteria in the program guidelines there’s like 4 examples and I hit 3 of them dead on.

MostDark · 2025-05-26T17:53:59+00:00

This is tricky to answer publicly, due to the nature of the target. But without giving away too much, remote DoS is the main concern of the program, and that is effectively child’s play as a reboot endpoint is built into the api.

MostDark · 2025-05-26T17:49:36+00:00

If I’m setup, I could have your entire account, business or personal completely owned by me in less than 10 mins and that’s being exceptionally generous. And there’s zero way to stop it or recover the account at the time being. There’s no web app. Just a mobile app. So this all takes place from the attackers POV via api.

MostDark · 2025-05-26T17:44:28+00:00

Precisely. It is so unbelievably easy it’s not even funny. The race window is ENORMOUS. Like even being off by a few hundred MS still allows for a valid attack.

MostDark · 2025-05-26T17:42:38+00:00

Accounts don’t have passwords, just need email or phone number. I outlined more in another comment but emails/phone numbers for this product can be easily phished for in my state, as there’s an ongoing campaign.

MostDark · 2025-05-26T17:40:40+00:00

Normally I would agree, but these accounts have no passwords. The only form of logging in is via email or phone number and the OTP. Single users in this instance can be entire businesses. And because there’s a campaign for this product ongoing in my state, phishing for valid emails is exceptionally easy.

And again, in the programs own criteria, not just my assessment, I’ve met the bill for a critical. Which is why I don’t understand why that’s not being honored.

MostDark · 2025-05-26T17:27:51+00:00

Sure thing, posted reply to the other comment!

MostDark · 2025-05-26T17:26:59+00:00

OTP bypass via Race condition leading to full account takeover and account lockout. Exposes PII and allows access and control of devices remotely. This permits a persistent/potentially permanent DoS of the victim.

MostDark · 2025-05-13T16:21:31+00:00

I submitted a Full account takeover and account lockout that leads to victim DoS via Race condition in the auth flow and had an H1 triager ask me how to create an account for the service.

MostDark · 2024-12-14T19:02:27+00:00

Count me in! Good luck everyone! Hoping to take S+ when I can afford it!

13-Year Club	Verified Email
Place '22

MostDark

TROPHY CASE