Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Graham Helton (too much for zblock) Profile picture
@GrahamHelton3
Jan 26 11 tweets 4 min read Read on X
Scrolly
Excited to disclose my research allowing RCE in Kubernetes

It allows running arbitrary commands in EVERY pod in a cluster using a commonly granted "read only" RBAC permission. This is not logged and and allows for trivial Pod breakout.

Unfortunately, this will NOT be patched. Image
I initially disclosed this in November of 2025 to the Kubernetes bug bounty program.

After much back and forth, it was decided that this "this behavior is working as intended" despite the risk it poses. I disagree. Image
It's nuanced, but the short answer is there is there is a mismatch between WebSockets and the Kublet's authorization logic.

It checks the RBAC GET verb instead of CREATE when connecting via websockets. In this example, sending an HTTP request is rightfully blocked Image
However, when making the same connection over websockets, the request is permitted! Image
I analyzed as many helm charts as I could get my hands on and ~69 of them mention the nodes/proxy GET permission. Some of the worlds biggest kubernetes vendors rely on it because there is no generally available alternative. Image
I've published a very simple tutorial on exploiting this for RCE on the wonderful @iximiuz. You can try it out here: labs.iximiuz.com/tutorials/node…Image
Here is a script to check if your cluster has a service account that can be used for arbitrary code execution. If you're running a production cluster (especially with monitoring tools), I would highly recommend checking.

gist.github.com/grahamhelton/f…
What you can do with this permission:
- Steal service account tokens in other pods
- Execute code in any Pod including control plane pods (etcd, apiserver, etc).
- Execute code in privileged pods, allowing for Pod -> node breakout.
- All without the commands being logged
For the full disclosure and breakdown please refer to the disclosure.

grahamhelton.com/blog/nodes-pro…
I will be presenting this research with some of the juicy details and implications at @SpecterOps's SOCON in a few months specterops.io/so-con/#rs-tal…
@SpecterOps Soon... Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Graham Helton (too much for zblock)

Graham Helton (too much for zblock) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @GrahamHelton3

Graham Helton (too much for zblock) Profile picture
Jun 21, 2025
Before moving from my role at Google to Snowflake I sat down and did a braindump of all the guidelines that I follow (or followed at one point and wanted to reintroduce).

For those interested, here are the ~34 guidelines that made the cut
Read all the documentation for products you’re working on. Understand how they work in and out as early as often. Read them in full. It will take days or weeks. Find all the docs possible. Talk to people about them. Annotate them with questions and ideas.
Become a proficient in the common tech stack. Does your team use git for EVERYTHING? You should know it well. Does your team use terraform? Be proficient in it.
Read 34 tweets
Graham Helton (too much for zblock) Profile picture
Nov 8, 2024
The purchase of Comptia and Offsec by private equity firms should indicate trouble is looming in the security world.

Expect to pay more for lower quality certifications.

If you're in a hiring position, start identifying ways you can identify quality candidates without certs.
If you couldn't already tell, this is frustrating to me and is part of why I push everyone to have some sort of public proof of their competence in a subject that isn't a certification.

Blogging is a great way to demonstrate you're skills without needing to pay cert providers.
PE firms have no north star other than profit. They buy companies, increase short term profits through anti-consumer practices, then sell the company. All at a lower tax rate than a minimum wage worker.

If you're unfamiliar with the the perils of PE, I've linked to a few below:
Read 6 tweets
Graham Helton (too much for zblock) Profile picture
Oct 26, 2024
This is a really interesting move from Apple.

Challenging researchers via a $1,000,000 bug bounty for their new Private Cloud Compute technology, releasing source code, architecture docs, and tooling means apple is VERY confident in this tech. 1/?

security.apple.com/blog/pcc-secur…
1. Back In June, Apple announced their “Private Cloud Compute” technology which allows for workloads originating on an apple device to be processed on a device in the cloud with higher, more specialized, computational hardware.
2. The unique aspect of this this is the security guarantees Apple provides around the AI’s processing of user data, specifically, apple states: “user data sent to PCC isn’t accessible to anyone other than the user – not even to Apple”.
Read 9 tweets
Graham Helton (too much for zblock) Profile picture
Jan 16, 2024
Alright here are my thoughts after digging into NixOS this weekend, buckle up because I have some thoughts on how it could be used for both personal use and in a security setting: Image
NixOS (not to be confused with *nix or the Nix package manger) is a Linux distro that aims to be reproducible, declarative, and reliable. It has a few different ways of accomplishing this:
Reproducibility: Your entire operating system is put into a few configuration files. These files determine what software, users accounts, services, network settings, software configurations, etc, are set up. Image
Read 11 tweets
Graham Helton (too much for zblock) Profile picture
Dec 11, 2022
What are some tools you can't live without? Here are a few I use:

1. Bpytop: A better version of the Linux `top` command
2. Flameshot: Without a doubt the best screenshot utility. (Yes, even better than greenshot)
flameshot.org
3. Peek: A lightweight gif recorder that just works.

github.com/phw/peek
Read 7 tweets
Graham Helton (too much for zblock) Profile picture
Jul 4, 2022
(1/?) Thread of all the stuff I did today: 🧵👇
/Thread Thanks for reading.
@threadreaderapp unroll
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(