16 year olds rule the world.

Who ever invented the idea that you can embed Javasript to picture files?

this was very well-written and the moving parts were quite easy to understand.

simultaneously there are many opportunities throughout to harden one's app to avoid similar exploits.

Really nice finding for such a young folk - really liked reading into it.Also what i love most about it is what an actually simple vuln it is.

Tho what i find mostly funny bout it is how many people are complaining about the 4k$.

I mean sure the potential "damage" could have been alot higher, tho at the same time there was no contract in place or , at least as far as i understood, a clear bug bounty targeted. This was a, even if well done, random checking of XHR/Requests to see if anything vulnerable can be found - searching for kinda file exposure / xss / RFI/LFI. So everything paid (and especially since this is a mintlify bug not an actual discord bug) is just a nice net gain.

Also ill just drop here : ask yourself, are you searching for such vulns just for money or to make the net a safer place for everyone. Sure getting some bucks for the work is nice, but i personally just hope stuff gets fixed on report.

- enormously awesome

- that bug bounty was insufficient (Fidelity?!?!)

every commit in every open source project should now go through an AI to see if it can detect anything nefarious. I'm sure there are ways to fool it but it makes it a lot easier for bad actors to get caught.

Link here is to gist , but on lobste.rs some one posted link to Eva's blog. And it with links to friends blogs, feel so much like old internet. I dont even know what I enjoyed more, reading technical side or discovering this dark forest.

could `Sec-Fetch-Dest: image` mitigate this?

[dead]

[dead]