Aries
@ariesclark.com
22, Adlily co-founder, a #vr advertising & analytics platform 📊 software engineer at @flirtu.al, the VR dating app 🩷
Almost every other week I find a new platform with severe issues. Most however encourage responsible disclosure, unlike Avatown.
It's horrifyingly common.
It's horrifyingly common.
December 3, 2024 at 8:29 AM
Almost every other week I find a new platform with severe issues. Most however encourage responsible disclosure, unlike Avatown.
It's horrifyingly common.
It's horrifyingly common.
I'm pretty sure they pulled the site after my post (also posted to Twitter) and others began exploring the vulnerabilities.
December 3, 2024 at 8:24 AM
I'm pretty sure they pulled the site after my post (also posted to Twitter) and others began exploring the vulnerabilities.
It's a platform's responsibility to ensure the safety and security of its users' information. Don't make the same mistakes as Avatown.
December 3, 2024 at 2:37 AM
It's a platform's responsibility to ensure the safety and security of its users' information. Don't make the same mistakes as Avatown.
This is just the tip of the iceberg—these issues were discovered within only 20 minutes of visiting the site.
If a malicious actor stumbled upon this, or if I had spent more time investigating, I'm confident I would uncover an entirely new trove of vulnerabilities.
If a malicious actor stumbled upon this, or if I had spent more time investigating, I'm confident I would uncover an entirely new trove of vulnerabilities.
December 3, 2024 at 2:37 AM
This is just the tip of the iceberg—these issues were discovered within only 20 minutes of visiting the site.
If a malicious actor stumbled upon this, or if I had spent more time investigating, I'm confident I would uncover an entirely new trove of vulnerabilities.
If a malicious actor stumbled upon this, or if I had spent more time investigating, I'm confident I would uncover an entirely new trove of vulnerabilities.
Avatown has a approval process in-place for new products, which is perfect for preventing spam & malicious listings.
But, you can just update your own product's `isApprovedByAdmin` field to true, bypassing this protection entirely.
But, you can just update your own product's `isApprovedByAdmin` field to true, bypassing this protection entirely.
December 3, 2024 at 2:37 AM
Avatown has a approval process in-place for new products, which is perfect for preventing spam & malicious listings.
But, you can just update your own product's `isApprovedByAdmin` field to true, bypassing this protection entirely.
But, you can just update your own product's `isApprovedByAdmin` field to true, bypassing this protection entirely.
Did you know everything on Avatown is free?
When creating an order, your client sends a request to /api/v1/order/makeStripePayment, which would be fine, except for the fact that you provide which product you want & the price of it.
Server-side validation, what's that?
When creating an order, your client sends a request to /api/v1/order/makeStripePayment, which would be fine, except for the fact that you provide which product you want & the price of it.
Server-side validation, what's that?
December 3, 2024 at 2:37 AM
Did you know everything on Avatown is free?
When creating an order, your client sends a request to /api/v1/order/makeStripePayment, which would be fine, except for the fact that you provide which product you want & the price of it.
Server-side validation, what's that?
When creating an order, your client sends a request to /api/v1/order/makeStripePayment, which would be fine, except for the fact that you provide which product you want & the price of it.
Server-side validation, what's that?
XSS injection, arbitrary code execution.
An issue I test for quite often on platforms, and a fairly severe one at that. This vulnerability lets you redirect visitors, steal credentials & personal information.
Spicy.
An issue I test for quite often on platforms, and a fairly severe one at that. This vulnerability lets you redirect visitors, steal credentials & personal information.
Spicy.
December 3, 2024 at 2:37 AM
XSS injection, arbitrary code execution.
An issue I test for quite often on platforms, and a fairly severe one at that. This vulnerability lets you redirect visitors, steal credentials & personal information.
Spicy.
An issue I test for quite often on platforms, and a fairly severe one at that. This vulnerability lets you redirect visitors, steal credentials & personal information.
Spicy.
The culprit: goavatown.com
After reaching out and providing a responsible disclosure, they chose not to address the issues. Instead, they decided to remove me from their platform and community.
So, logically, a public disclosure is next.
After reaching out and providing a responsible disclosure, they chose not to address the issues. Instead, they decided to remove me from their platform and community.
So, logically, a public disclosure is next.
Avatown - World's best Avatar Marketplace
World's best Avatar Marketplace
goavatown.com
December 3, 2024 at 2:37 AM
The culprit: goavatown.com
After reaching out and providing a responsible disclosure, they chose not to address the issues. Instead, they decided to remove me from their platform and community.
So, logically, a public disclosure is next.
After reaching out and providing a responsible disclosure, they chose not to address the issues. Instead, they decided to remove me from their platform and community.
So, logically, a public disclosure is next.
I love cheesecake, can I have some?
November 11, 2024 at 1:32 PM
I love cheesecake, can I have some?
I have leftover pizza, but it was spicier than I could handle.
October 23, 2024 at 2:35 PM
I have leftover pizza, but it was spicier than I could handle.
the graphs in question:
metrics.vrchat.community
metrics.vrchat.community
Grafana
metrics.vrchat.community
October 21, 2024 at 6:57 PM
the graphs in question:
metrics.vrchat.community
metrics.vrchat.community