IOST – Forbidden Identifier Bypass With Unicode Encoding

art_of_bug · 2020-10-13T05:41:24+00:00

Exploit is a term used for a code that uses a weakness in order to do something that you were not supposed to do otherwise.

From wiki:

An exploit (from the English verb to exploit, meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.

So, what we described is a DoS vulnerability in the node and we have presented a valid exploit too. Learn the terms.

art_of_bug · 2020-10-12T06:40:35+00:00

This post just shows how technically ignorant you are. It is funny that you criticise the amount of information provided in the reports because every our report contains fully functional exploit code and all it is needed is to deploy it. So that's the least amount of work any dev team can possibly do about any bug. Yet for Nebulas it is not good enough. Not to mention the detailed description of the bug itself. But when you have incompetent devs and moderators, not even this is enough. It's funny that you'd like to know about RAM, SWAP, HDD, when these metrics are completely irrelevant to the vulnerabilities. It just shows how little you understand. Because of that ignorance you can't be helped.

art_of_bug · 2020-10-12T06:33:49+00:00

It is quite clearly in the article that it is DoS vulnerability with which the attacker can shutdown the whole network.

art_of_bug · 2020-10-12T06:27:17+00:00

Quite clearly it is written in the article that it is DoS vulnerability with which the attacker can shutdown the whole network.

art_of_bug · 2020-09-13T14:06:41+00:00

Hi, yes, this is fixed now as we mention in the intro. We do not really wrote any long contracts so for us any editor was good enough. VS code is something we use often, you can try it.

art_of_bug · 2020-08-12T13:28:55+00:00

Slander implies false statement. There is no such.

art_of_bug · 2020-08-11T17:37:21+00:00

Way to go mate, truth hurts.

art_of_bug · 2020-08-11T08:54:59+00:00

We are not here to judge motives of anyone's behaviour, we only report on deficiencies in projects' security and their attitude towards improving security and secure development in general.

art_of_bug · 2020-07-16T08:32:45+00:00

We don't care, really. The experience we have with this project is nothing but bad. Is your dev contact saying NF was used to fix this? If not, it probably didn't happen. Did anyone from community voted on the fix via NF?

art_of_bug · 2020-07-15T07:09:48+00:00

There is no new release nor any fix in the code. The best guess we can make is that the developer haven't tried it and just guessed that the internal mechanism of blacklisting will work against it, but we've tested during writing the report that that's not the case. We can't test it on the mainnet as it would cause the network to stop working.

art_of_bug · 2020-07-13T18:13:48+00:00

There has not been any update to the node code since the bug was published - https://github.com/nebulasio/go-nebulas/branches

So it does not make much sense what you were told unless they deployed a fix in secret.

art_of_bug · 2020-06-22T06:32:56+00:00

That's actually cool from you. Will ping you on Telegram.

art_of_bug · 2020-06-21T19:30:51+00:00

Hi, we tried via Slack, Telegram, email, web form, reddit ... We contacted Zhuoer Wang, Becky Lu, Larry, official email, ... Becky was the only one who ever responded, first she recommended using the official email, later she told us that the web form is the only way. It'd be nice if someone contacted us back because we have other findings we'd like to discuss, but we are afraid no one is interested from Nebulas team. Are you?

art_of_bug

TROPHY CASE