The best I’ve found.
It’s also crowd funded and they talk about their interest tech as well.
The best I’ve found.
It’s also crowd funded and they talk about their interest tech as well.
Hi, OP here! Thank you all so much for the positive commments. To give some background: I'm a 17 year old student in the UK doing my A-Levels, still deciding what uni to go to and looking for degree apprenticeship options! You can checkout my github profile here -> https://github.com/Jayy001 (I'm one of the core members behind HashPals, creating Search-That-Hash as well as being a maintainer for the open-source repository of free software for the ReMarkable tablet)
I am going to try referring you for Meta. Can you send me your resume/email/etc to tehlike gmail com?
Why would you want to punish the lad with working at Meta?! He seems like a nice chap.
I want to hire good people to the company i work for. Is that wrong?
Yes, facebook is an evil corporation.
Also: stop calling it meta everyone. Don't let them get away with such a poor away to hide their past & also claim a powerful word like that.
Let's provide solutions in addition to criticisms.
What would you recommend OP applies for?
What are the pros and cons of the option that you suggest vs. the alternative?
A company working on physical products that solve real world needs is where I have found solace.
why? op is young, needs more money.
Why? did they say that elsewhere in this thread?
Why are they evil? And if someone wants to do good for the World, why not join an evil corp to inflict change from within?
Not for your goals, seemingly no.
I didn't realize you were offering help with internship/apprenticeship.
Carry on. OP, definitely cut your teeth in a place like that!
Everywhere else afterward will likely feel like a vacation, in comparison.
sorry, endofreach, i'll continue to call it Meta or Facebook interchangeably. One is company's legal name, and the other is its major product.
As for the evilness, i will not argue. Everyone is entitled to their opinions.
For the OP in question, Facebook will provide the best career launch pad, so i will continue to suggest that. I have been to Google and Facebook, so can compare the two.
I assume Meta has a referral program where you receive a bonus if your referee gets hired.
I personally do not care about that, that was not the reason I offered referral.
Same reason I referred very little number of people if any in the past.
They do have a referral program and you would presumably benefit from that though? I'm honestly asking because I don't know.
They do, yes. There are some rules around the attribution, like if recruiters have reached in some capacity in the past xx months without an outcome, you may still not get an award, I believe.
Does Meta hire 17 year olds?
Edit: oh, is this degree apprentice thing a UK thing I'm not familiar with?
Yes, apprenticeship program.
They have in the past, though I assume it's exceedingly rare.
https://thehustle.co/how-one-17-year-old-coded-a-number-one-...
Hi, I've sent you an email.
I did a degree apprenticeship at a FAANG company and was lucky to transition into a full time role there. It heavily depends upon the company, however my advice is that an apprenticeship at a well respected company goes much further than uni (bar Oxbridge) in terms of immediate job prospects.
I'd be very happy to talk more about this w/ you - email in my desc.
Sent you an email!
Bright future ahead. Good luck
Thank you!
Good job! How long did it take you to achieve the XSS?
Around 4/5 hours if I recall correctly. It was over a year ago so not 100% sure.
My ReMarkable thanks you. You're doing great. Keep going.
.. And if you go into IT learn about contract negotiations and finances
This feature reminded me of the MySpace worm in ~2005 (heck, I wasn't even alive then!)
Well damn, I get older every day
My ex-wife managed the security team at MySpace from about 2006 to 2008. The really wild part was when she went online to the MySpace hacker forums to see how the days’ work had gone. The insistence on allowing users to put HTML onto the site was a huge problem. These days, I think the solution would be to do a proper parse of the HTML input and remove forbidden attributes and tags, but back then it was handled via insanity with regexes.
They seriously tried to parse HTML with regex? That's crazy.
They were using regex to block bad input without needing to parse HTML.
hope they were using more than one pass....
<scr<script>ipt>You could identify that as not a valid tag in a single pass and know that you should escape the < and > on it.
For the implementation all the real HTML tags should be generated by the formatter and not originate from the original input. When formarring the valid tags get deleted from the input and everything else is properly HTML escaped.
As a primitive example imagine that the only HTML tags the formatter is able to output is <b> and </b> tags alongside HTML escaped text. That means it will be impossible for a script tag to ever be outputed by the formatter.
I wonder how many passes it needs at all. I mean, if you <scr<scr<scr<script>ipt>ipt>ipt> as many times as possible, you'll end up with a xss. Removing < and > at all would be the safest solution.
You can read about some things they did, and didn't! https://samy.pl/myspace/tech.html
Long live Tony the Pony.
It used to be that the only programs capable of somewhat correctly parsing HTML were web browsers, each one of them produced different results, most weren't open-source, and none were reusable as libraries. If you wanted to parse HTML in... looks up what MySpace was written in... ColdFusion, you were all out of luck. Since then people spent years developing specifications and writing the libraries, so now it's not a big deal.
Ppl were coding up xss back in the day on Myspace to spread ringtone offers
Innocent users getting pwned aside, that sounds fun, an anarchy website in Windows XP days.
My first thought was something along the lines of "great to see these young kids doing this kind of work." Doing that math hurt my soul.
Wait, this person is <20yo...
Could someone explain how re-directing from a subdomain (chess.com.foo.bar) somehow got past some same-origin check?
if it's happening server side they might have had a bug where they are doing naive substring comparison instead of actual domain evaluation
It wasn't a proper same-origin check - the server code was checking to see if the image was hosted elsewhere, and if so, it would download and self-host it. The code to check if it was on `chess.com` probably just checked to see if the domain included that string, because laziness.
Not CORS origin check (that does not apply to links), but hand made origin check from chess.com developers.
it sounded server side code allow-list the source, so it was probably just doing a string prefix check. the code to make the friend relation doesn't happen in the browser
OP Here - Like the others have said, it wasn't a proper same-origin check. We'll never know for sure how it was handled beacuse it was all done server-side but I'm guessing it was something like an if in statement on the FQDN, hence why I was able to get away with pointing it to my own domain.
Clearly chess.com was using something like "starts with" to process the re-upload. Basically don't re-upload if it starts with https://chess.com, but filter out if it starts with https://chess.com/registration-invite
Typically same origin policies are relaxed for things like images by default [0]. So they came up with a trampoline, they created a chess.com.theirDomain.tld to get past the re-upload filter, which in turn returned a redirect, which the browser followed.
[0] https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...
Hmm, I don't think this is related but I've personally witnessed (and even recorded) other people making MY moves in chess.com games and also I've been served up a game in progress and I've been able to make moves when I shouldn't have been able to.
There are plenty of threads about this too if you Google it. No idea if chess.com have fixed this in the last few months, but they didn't want to listen when I tried to report it.
All these games were when I was not logged into the site. It's never happened to me whilst logged in, but I don't play chess that often as it's no good for my blood pressure!
Sorry, I don't understand. When you wrote people are "making your moves" do you mean they are substituting your moves with their own in a game? Or that they are mirroring moves from one of your games into their own game? Or something else?
I think he means they were literally moving his pieces.
My moves? What do you even mean
I understood it as when it was his turn to play, his piece moved without him moving it
How can you tell that they are making your moves?
Back when my sole internet experience was playing (losing) every match on Chess.com as a "volunteer librarian", I'd often inject awkwardly escaped characters, closing tags, common quirky control strings, and even OLE objects into the live Chess.com games.
Eric (founder) had politely asked me for a more formal audit (to which I declined, not wanting to out myself as an 11 year old script kiddie) but I did explain the RegExp needed for the chat room censor and we tackled the ultimate problem; how to detect cheaters in asynchronous environments.
After consideration I informed him the only way to possibly detect cheaters is to compare every (game-significant/high-mu) move made against the known optimal moves from engines, and use statistical inference to discriminate good humans from cheaters.
Of course, at the time, this was laughably unfeasible - which was the answer we had concluded on. But for a barely out of elementary kid to discuss those kinda nuances with a legit webmaster (Hello Eric!), it is one of my more favorable internet memories.
the only way to possibly detect cheaters
why would this be the only way? I can think of many different things you can do to detect cheaters
What are a few? I'm curious. Do they all involve monitoring the client itself?
He didn't mention the methods not involving monitoring the client. Most of them would involve monitoring it, yes.
- Response time
- Strength consistency within current game
- Strength consistency across all of user's games
- Is user switching windows
I bet these are already integrated in current cheat detection.
Any detection scheme based on extra information from the client could be defeated by running the chess engine on a separate computer. A human typing in their next move is indistinguishable from a human copying a move from an airgapped chess engine. Therefore, the only information that can be used to tag cheaters is the moves themselves.
Any detection scheme based on extra information from the client could be defeated by running the chess engine on a separate computer
Response time and strength consistency could be detected regardless of having another computer.
If a person is always playing fast moves, or playing very consistently or very inconsistently good moves, they could be detected.
This feature reminded me of the MySpace worm in ~2005 (heck, I wasn't even alive then!)
I instantly felt old.
Don't worry about this too much. It gets worse.
My question to OP about this event: how did you learn about this? Darknet Diaries, or via something else?
A video by WIRED came up in my YouTube feed about it.
Thanks for taking the time to reply!
I am old enough to have a fuzzy memory of it happening at the time, but here is the podcast with Samy that cemented it in my brain:
BTW, since you just got here... I find this useful: http://www.hnreplies.com/
Cool bug.
Google did not like me setting up a chess.com subdomain, and a couple of weeks later, my domain got flagged for "phishing." - I had to contact them to explain and manually remove it as it affected my whole domain.
OP - I'm honestly not sure what happened, it could be just based on the naming or something else to do with it. Either way, when I visited it, Googles Safe Browsing alert popped up with "Deceptive site ahead - recentley detected phishing".
This is a newish _Chrome_ feature (within the past 2 years) that Google rolled out. Any subdomain that looks like a domain (especially ending in a common TLD) will trigger that warning.
I learned that because, at work, I architected a system for serving certain assets for customer sites at a subdomain off a shared root domain, keyed by their full domain (like example.com.example.org—where example.com is the customer’s site domain). We ended up changing to example-com.example.org which is far better anyways since this feature started breaking stuff once it rolled out.
But this is a Chrome feature and should not affect your rankings themselves. But couldn’t hurt to take it down just in case.
Interesting, thanks for the insight!
Great write-up!
Why isn’t the PHPSESSID cookie HttpOnly?
And why if the XSS was already known had they not fixed it?!
I've had arguments with people storing session tokens in local storage and claiming it is perfectly safe.
Not marking the cookie httpOnly ironically doesn't surprise me.
TLDR: if you aren't going to look up the very basics of security just use a trusted library
Just to clarify, the PHPSESSID cookie was HttpOnly - I could extract the new value because I had overwritten it. Most of the cookies were set correctly (thankfully) however there was a lot of SPII stored in JS variables which I was able to get.
Very cool. I love seeing bug bounty write-ups, especially XSS. They always seem so easy to find (but that's just confirmation bias, I don't get to see the hours of testing and rabbit trails that go nowhere).
In my experience they are usually found after finding something weird by accident. Then the real challenge is to exploit that flaw (in this case with the text editor).
I can confirm this, I've found a lot of stuff by accident during my years doing bug bounty
I was expecting this to be more nooby based on the title. But instead they built an exploit that bypassed multiple input validation stages with clever hacks. Even going as far as to setup sub-domains to resemble the base domain. I'd not have expected this to work and found it neat in itself. But I guess seeing how complex domains are to parse with regex makes it easy to miss things (or maybe it was just something like a: '... in variable' check, idk.)
Author knows their stuff. I admire how much dedication that kind of craft takes. Spending so much time to get further along. Would make for an interesting career.
The first exploit of friending profile visitors was pretty simple at least, and also the title is a pun. But then it got very complex going for a full XSS.
Also very young making it even more impressive, considering they were born > 2005 according to the author's passing mention in the post.
Great writeup OP! And good luck on your hacking journey. Just in case you haven't come across this yet, when you find parentheses being filtered/encoded in a payload like alert(1), try alert`1` using backticks. Some great resources if you want to take your JavaScript injection to the next level: Brute Logic's XSS cheat sheet and Gareth Heyes's Javascript for Hackers. Some people roll their eyes at cross-site scripting but it's still very powerful and very widespread (and as plugin-baby pointed out, especially when session cookies aren't flagged as HttpOnly, eek.)
Thank you, will take a look!
What does "OSRF" stand for? Is this like CSRF, but... "Own-Site Request Forgery", maybe?
Yeah, pretty close: "On-site request forgery"[0]
[0] https://github.com/daffainfo/AllAboutBugBounty/blob/master/O...
Some typos in the URL: htttps://chesss.com/registration-invite?hash=XXX
OP - Wow, can't believe I missed that! Thanks!
No such thing as a rookie exploit
“ This feature reminded me of the MySpace worm in ~2005 (heck, I wasn't even alive then!)”
Goddammit young people :D
The part about the rich text editor being a "holy grail" is funny. Chess.com is a big website, but I always see those editors and other extra fancy features on random old forums and wonder if the site is Swiss cheese. Anyway, great writeup!
I don't know this required a lot of thought. Didn't really feel like a rookie exploit.
During the bug-bounty report & triage, the developers tried to implement a block because when I tried to reproduce it again for them, it came up with the following error message ...
Hardly in the spirit of a bug-bountry program.
Wow! This is so cool, love the pun in the title hehe
As well as communism.
https://github.com/ornicar
Can't tell if this comment is supposed to be griping from dour conservative or praise from a communist lichess fan
Or maybe you can decide for yourself how you feel about “a hippie communist chess server for drug fueled atheists.”
"None the wiser" is indeed an appropriate username! Please, tell us, by your snark I can assume you're most displeased with this collection of adjectives. But which ones in particular and why?
Do hippies frighten you because they represent a more egalitarian and prosperous ideology than your narrow minded brain can conceive of?
Do communists make you quake in your boots because you don't believe you could get on in a society where you might not be able to solve all of your problems with money? indeed, imagine if you might have to rely upon people liking you; I also fear for your ability to get on.
Is it the "drug fueled" portion, because you perhaps feel some right to tell other consenting adults (whom probably know much better about their bodies and their own lives than you do about yours) what to do on their spare time?
Or are you waking up to the fact that we, as a society, are becoming more secular[0], and thus you see the advance of atheism as an attack against the institution of your personal sky daddy?
And these are all reasonable things to think of you, since you only wave vaguely at a collection of adjectives while expressing some nebulous form of disdain. Perhaps either clarify the nature of your disagreement, or continue to persist in the shadow of intellectual doubt and fear you appear to be laboring under... which is a disease very common to people who appear to believe as you do.
[0] https://web.archive.org/web/20240123000719/https://www.nytim...
Am I the only one who took the "decide for yourself" at face value? It's not even like digging something up, it says right on the author's GitHub.
Perhaps, but then again, I find that typically only people who find those terms odious would care enough to quote that particular passage from the github and then refuse to elaborate on their own personal opinion of it. I also find that people who engage in such hit and run tactics are, typically, not very courageous in their own beliefs, or they'd be full chested about it.
Holy shit, no. You are not!
I love this comment! It exposes all the hate. I wish I had the ability to respond like you. Good writing! (oh and if I wasn't clear, I agree with you. OP needs to back it up, examine himself, and stop trying to control or hate others)
Didn't you hear? The reds are at our door and want to destroy capitalism!
You should be careful playing there - you might become infected by hippie communist ideology and denounce God during your drug-fuelled chess binges.
"God is dead and Lichess has killed him" is also what Nietzsche said when writing "The Gay Science" and playing on Lichess.
Thanks for the warning. My male cousin tried playing on Lichess once. She now wears knee-high socks and listens to catgirl-emo music while puffing “the reefer” and praying to Karl Marx
I and many others find the UX to be worse, the tutorials/lessons definitely way less interactive (usually consist of just a text dump) and the sheer number of games where the opponent doesn’t make a single move to be extremely frustrating.
It’s also impossible to discuss anything related to chess.com on here or Reddit because lichess people tend to downvote and brigade anyone who doesn’t praise it.
UX is probably a matter of habit, I for one find the chesscom UI unintuitive and I can never find what I'm looking for, but Lichess certainly also has its problems.
The free and (to me) intuitive analysis tools on Lichess are the killer feature for me.
The UX for the analysis part is actually significantly better on Chess.com
Word
I very much disagree. Chess.com has analysis being more human-readable, the Lichess graph of move strength is amazing for zooming in to your major gamechangers.
The people I've met from chess.com were straightforward and focused on their craft. The product they work on doesn't seem to hurt anyone and I haven't see any exploitation common to tech companies. I heard they don't pay Bay Area salaries, which is probably makes them more sustainable over the long-term.
I wonder if the peaceful co-existence of lichess and chess.com co-existing somehow disturbs some esoteric ideology.
Their website also came out at a time when it was common for competitors like ICC to charge people to play chess online, chesscom being his huge well featured free website helped push forward the popularity of online chess, and their for-profit model is what allows many of the aforementioned streamers to make a living.
I don't hate lichess but I hardly see chesscom as evil.
This is a weird rivalry to read about. There should be an agreeable way for them to settle it, maybe some competitive game they both enjoy.
stockfish v stockfish!
Iirc, some of the hate comes from the fact they were paying popular chess streamers not to play/stream on lichess.
Exclusivity contracts seem pretty common in sports media, streaming, and other fields. I don't know the details but a quick google search turns news like https://www.reddit.com/r/chess/comments/7v7xhp/downvotes_wou...
Apparently, some people thought Chess.com was trying to paywall chess streaming content. Strange
I love lichess, their mobile app is such a pleasure to use compared to chess.com.
I do use lichess on my iPhone, mostly because the pieces don’t even show up on chess.com. If I’m at my laptop though it’s chess.com
I just love LiChess. It is fast and lightweight. People are also very nice.
I play short time controls like blitz in lichess. But for rapid I prefer chess.com as lichess has too much cheating. I find lichess UI/UX better and faster than Chess.com.
Since the topic of WebAssembly came up today afain today, lichess uses stockfish compiled to wasm delivered to the client to reduce server costs.
It's painful to play on lichess due to wide spread cheating and people opening new accounts. I've been playing on chess.com as a paid user and having much better experience. I don't know what changes chess.com made in the past year but they are definitely moving in the right direction.