Tasks related to enhancing the security of Phabricator.
Tue, Feb 20
Fri, Feb 16
A similar "attack" is to send a link to two destinations based on the viewer:
Wed, Feb 14
Thu, Feb 1
My call with Mailgun was generally reassuring. Based on an uncharitable reading of the January 5th disclosure, my major concern was that they might be starting from a cultural position which was blind to internal actors as threats and everyone just used root / hunter2 written on a sticky note to log in to everything or something like that.
Wed, Jan 31
One attack is that you can override the content of email and then send invite or welcome mail that says whatever you want, whether the victim has a Phabricator account (welcome) or not (invite).
Tue, Jan 30
This is relevant now that work related to T13049 has added CSV support.
(They got back to me and we're scheduling a call.)
Mailgun has yet to respond to me after about three weeks, so I send them a followup.
Sat, Jan 27
Fri, Jan 26
Jan 25 2018
Jan 23 2018
Add a temporary token revoker.
Add a session revoker.
Add an SSH key revoker.
Add a password revoker.
Add a VCS password revoker.
The other thought I had was that using a cooperating subprocess and emitting signals to tell it to click a nanosecond-precision stopwatch might also make the attack more practical (or use pipes or domain sockets -- however you can get out of PHP with the lowest cost). They're probably all somewhat slow but likely better than microsecond-precision. Then you "just" need to get a cooperating binary onto the target host.
Wow, I didn't mean for my two cents' worth of snark to cause such a stir! I do buy the argument that Phabricator isn't impacted by Meltdown/Spectre ("At least today, Herald rules are insufficiently expressive to allow an attacker to encode a speculative execution cache timing side channel attack.").
I believe this has been supported since D11543, in 2015. Specifically, log.ssh.format supports %k, and it appears to work as expected.