Profile picture
Elliot Alderson
@fs0c131y
, 9 tweets, 4 min read Read on Twitter
📢 Technical thread 📢

In fact, the vulnerability I found on #Tchap is a problem that comes from the Python email.utils module 😨

The parseaddr method seems very broken, you should not use it at all. Let me show you why. 1/
1. Open a terminal
2. python
3. import email.utils

We are ready to play! 2/
"Parse address – which should be the value of some address-containing field such as To or Cc – into its constituent realname and email address parts. Returns a tuple of that information, unless the parse fails, in which case a 2-tuple of ('', '') is returned" 3/
Yesterday, this is how @Matrix was using the parseaddr method. Job done, no? 4/
What is happening if I add @presidence@elysee.fr at the end of my email address?

Sh*t, the result is still my email address 😮. This vulnerability can be useful to bypass some email restriction as we saw yesterday 5/
It's working also if you add a space between your email address and @presidence@elysee.fr 6/
But wait, what is happening if I enter something which is not an email address?

According to the doc, he is suppose to return an empty string.

WTF?! It returns my input 7/
Clearly, this parseaddr is not doing his job...

If you use this method in your codebase, review it asap, especially if you have implemented an email restriction 8/
As noticed by @bortzmeyer, an issue on the Python bug tracker is opened since 2018-07-19 bugs.python.org/issue34155
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Elliot Alderson
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#Tchap

More from @fs0c131y see all

Profile picture
Elliot Alderson
@fs0c131y
1/ Et si on faisait un petit point sur #Tchap? Parlons des faits, cela permettra à tout le monde de se faire une opinion.

Le 23 Mars dernier la @_DINSIC publie sur le PlayStore Tchap, une application de messagerie « sécurisée » pour les employés du gouvernement français.
2/ Le 18 avril, une campagne de communication commence. On peut voir dans la presse des articles du type « Tchap une application de messagerie plus sécurisée que Telegram ». C’est le lancement officiel phonandroid.com/tchap-letat-la…
3/ Le même jour, j’analyse cette app et j’arrive à m’inscrire sur Tchap en tant qu’employé de L’Elysée. Cette faille de sécurité est en réalité une faille de la solution de messagerie appelé Matrix utilisé par Tchap medium.com/@fs0c131y/tcha…
Read 17 tweets
Profile picture
Elliot Alderson
@fs0c131y
Bon. Je viens de trouver 2 autres failles critiques dans #Tchap. Ça fait un total de 5 failles. Pour une application de messagerie sécurisée ça fait beaucoup...🤦‍♂️

Élégance française oblige, je peux lier les 2 failles.

Pour le moment, je vous déconseille d’utiliser #Tchap
Accessoirement je pars en vacances demain. J’avais pas envie de gérer ça maintenant
Personne n’a testé la sécurité sur ce projet. C’est pas possible sérieusement.
Read 3 tweets
Profile picture
Elliot Alderson
@fs0c131y
The @BJP4India filled a complaint against @rajakumaari because of... a tweet.

@BJP4India we need to talk. Have you ever heard of freedom of speech? If a political party is closing the social media accounts of his opponents, is it still a democracy? #JustAsking
I'm not taking side here. But even if @rajakumaari is spreading "fake news" this is not the responsability of the @BJP4India to ask the suspension of this account
This is the related tweets. If every time someone made a bad joke we had to close their account, well Twitter would be empty
Read 7 tweets

Related threads

Profile picture
Dr. Sturg
@DrSturg
#Thread 1/ Today's a day when I think a lot of people are going to be discussing and critiquing #journalism Since I've been teaching the subject for quite some time now, here's some things I tell my students about their relationships to public officials.
2/ The first rule of #journalism, even in the @spj_tweets code of ethics, is to "seek truth and report it." Sources of truth don't always want it shared. Everyone wants to look good, and when people have chosen to do bad things, they don't want you to expose them.
3/ A side #ProTip for newsmakers: The best way to avoid unfavorable coverage is to not do bad things. It's not 100%, but it works a lot better than other shenanigans you try.
Read 16 tweets
Profile picture
Reza Nasri
@RezaNasri1
#Thread on Trump, Pompeo and Pence's irresponsible banalization of the words "Genocide" and "Holocaust" at the State of the Union address (#SOTU) , the #WarsawSummit and #MSC2019.
1) Raphael Lemkin, known as the father of the Genocide Convention, rejected the terms "Barbarity", "Mass murder", "Denationalization", "Germanization", "Magyarization" and many others to depict Hitler's attempt to annihilate the Jewish population.
2) He wanted a word that would - according to @AmbPower44 in her book "A Problem from Hell" - "connote a practice so horrid and so irreparable that the very utterance of the word would galvanize all who heard it". To Lemkin words mattered. So he came up with the word "Genocide".
Read 11 tweets
Profile picture
DespicableDrew
@DespicableDrew
#THREAD: the #Epstein case vs the #MichaelJackson case: for those talking about "getting away" with "crimes", let's take a look at how (white) privilege really works. And why nobody talks about Epstein, while #MJ is being subjected to another slanderous mockumentary. (1)
For a good comparison, we'll take a look at the timeline of the #Epstein case versus that of the #MJ case. You'll see the differences in approach, treatment and mediatic consequences by yourself. #JusticeforMJ #ExposeTheLiars (2)
miamiherald.com/news/local/art…
As per screenshot 1, the parents of #Epstein's alleged victim, a 14-y.o. girl, reported the alleged crime to the police. In 1993, the first allegations against MJ started with an extortion plan and a search for a "highly profitable settlement". (3) More: themichaeljacksonallegations.com/the-1993-alleg…
Read 40 tweets
Profile picture
AeroDynamic Women
@AeroWomen
#Thread of responses from women in aerodynamics to the question, 'what would you like to see in order for women's career progression in your field to be sustained and better supported?'

Responses incl. career flexibility, mentoring and more women in leadership roles #WomeninSTEM
1. "I think young female engineers need to see more female role models and mentors in my field. Having a visible example of someone that looks like you and is succeeding in their field is important. Having an opportunity to meet with a mentor like that can be very powerful."
2. "I would like to see that any career promotion is based on own merits and value added to the company or the society independently of the gender. I want that women are measured with the same rules as men and are given equal opportunities."
Read 68 tweets
Profile picture
H E X A
@hexadecim8
I'm about to drop a severely nerdy and overly technical thread on you all about automagically parsing heaps of old declassified CIA documents for coverterms using python, NLP libraries, regex, and maybe a little love. Either strap in or block me. W/E
So I start with my problem statement; I have an asinine amount of declassified documents scraped off of CIA's digital reading room. I know I want to practice NLP and regex going into this, but I also know this is a multi-step process that is probably going to be pretty complex.
So I start with an archive of 250001 PDF files which amounts to somewhere around 90 GB. The first, longest step of this process was to run Optical Character Recognition against the documents and add a searchable text layer to the original PDFs. Not so bad.
Read 28 tweets
Profile picture
Dr H.A. Hellyer
@hahellyer
Perhaps not a day goes by now, except that the nature of authoritarianism in the Arab world is misrepresented - particularly vis-a-vis Saudi Arabia and its role in Muslim communities worldwide. So, let us be clear: #Thread
The fact that Saudi Arabia holds control over the two holiest sites in Islam doesn't translate into influence over Muslims globally. There is no papacy in Islam, and the mainstream of the Saudi Arabian religious establishment is not remotely the mainstream among Muslims globally.
On #Khashoggi: only the latest example of what unchecked authoritarianism can do. Such authoritarianism is a remarkable threat to stability. Too many seem to worry about what happens when that authoritarianism is challenged: worry about what happens when it is unchecked.
Read 9 tweets

Trending hashtags

#USD #MSDyn356 #SadhviVsDigvijay #Sabrimala #Ahwaz #Russia #DeepState #renewableenergy #MinutesToMidnight #PAYtriots #ThirdTerm #LeavingNeverland #UKIP #Flow #Patriots #Azure #2ndAmendment #DigitalPatriots #DigitalArmy #Egypte #mylifewithstan #fighting #ConnectedFieldService #WomenInScience #MJFam
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!