Unlisteds

Italy is facing dark days because of coronavirus and there is a lot of disinformation about this topic, especially on messaging apps and social networks (the journalist Jane Lytvynenko is collecting and debunking a large number of fake news about COVID-19). Last week (03/12) China sent a team of doctors and equipment for Italian hospitals, a part of which Italy will pay for. The Chinese Embassy in Italy reported the news on Twitter and – during these particular days – their Twitter account is particular active. Their tweets have generated many retweets, likes and positive replies – many thanks from Italian people – because coronavirus is a world issue and people are scared. This is the bright side of it, but there is another side: many tweets and reactions seem to have been created by bots or suspicious accounts, usually with few tweets, no profile pic, absolutely pro Chinese government and anti USA. If you try to reply in a negative way to the Chinese Embassy in Italy (@AmbCina), you will probably receive this message from some users: nmsl, Chinese slang that stands for “Your mom is dead”. ...

Circa due settimane fa, a Padova, si è tenuto l’evento Italian Hacker Camp 2018, un vero e proprio campeggio per appassionati del mondo dell’informatica (ma non solo). L’evento si è svolto dal 2 al 5 agosto e offriva alle persone, come si può intuire dal nome, la possibilità di fermarsi lì con la propria tenda e il proprio sacco a pelo per tutta la durata dell’evento. Non ho avuto modo di parteciparci in maniera così “selvaggia”, ma sono riuscito a passarci in giornata, trovando un ambiente inclusivo, che non ha deluso le mie aspettative. Cerco di semplificare la mia esperienza con due elenchi puntati, uno con gli aspetti personalmente positivi dell’evento e l’altro con qualche spunto per migliorare le edizioni future, nella speranza che ce ne siano. ...

Qualche giorno fa il giornalista de Il Post Emanuele Menietti ha tweetato questo: ci sarà pur un modo per filtrare tutti quelli con la bandierina dell'italia nel nome del profilo e con foto che non troveresti manco sulle credenze nei tinelli a predappio. — emanuele menietti (@emenietti) July 7, 2018 Mi sono quindi domandato se c’è un modo veloce per filtrare gli utenti di Twitter in base alla presenza, o meno, di una determinata emoji nel loro nickname. La risposta è Sì, bastano qualche riga di Python e l’utilizzo delle API di Twitter. A questo punto ho deciso di giocare un po’ di più con Python e le API di Twitter, provando a vedere se era possibile rispondere a qualche domanda, utilizzando i dati ottenibili tramite le API. Le domande che mi sono posto sono principalmente due: ...

A few days ago some researchers discovered an HTML Injection vulnerability in Signal Desktop and they wrote a public disclosure. The Signal team quickly released an update on May 11th, the problem was in the file /js/views/message_view.js. Reading the changes to message_view.js, it seemed that the Signal team had only fixed the “problem of the URL". So, maybe, I could still inject HTML code somehow. In Signal Desktop there are not many features, so I have tried to write me a basic message: <b>PROVA</b>. Obviously nothing happened. So I have tried to use the feature Reply to message, and BINGO! My original message <b>PROVA</b> has become PROVA. So, it was still possible to inject HTML code in Signal Desktop. I have tried to run javascript code, but it was blocked from the Content Security Policy, like in the first report. To run javascript code in the victim’s Signal Dekstop, first the victim must download a malicious HTML / js file, then the attacker can run it with the src attribute. Obviously the attacker must know the file path on the victim’s computer. Another interesting attack, without javascript, is to use ping attribute to find the IP address of the victim (thanks to Fabrizio Carimati (@clodo76) for this idea). ...

Info Product: GD bbPress Attachments Version: 2.5 Active installations: 10,000+ Product page: https://it.wordpress.org/plugins/gd-bbpress-attachments/ Description An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary javascript code via filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker. The variable $error['file'] in **/code/**attachments/front.php (line 349) is not escaped. Proof of Concept ...