Profile picture
Sarah Jamie Lewis @SarahJamieLewis
, 20 tweets, 3 min read Read on Twitter
Twitter, I am feeling a bit down, and so I am going to tell you a story of one of my favorite vulnerability discoveries...I've just checked, it's been fixed (kinda)...

Let me tell you about the case I call: The Blowjob Injection Attack
Ok...so, as I am sure you are all aware from your regular internet browsing, cam and porn sites are all about Virtual and Augmented reality these days.
If you are fortunate enough to be able to afford a connected device you now have a myriad of sites who will helpfully deliver sexy hands free fun times right to your genitals while you watch your porn.
So there is a cam site, I won't name them cause I'm nice, who decided to get in on the virtual blowjob business.
Like many sex companies they decided to be innovative, forward thinking...I mean it's a competitive space.....
So they built a Build Your Own Blowjob feature, it was actually pretty cool you could select different predefined actions like "gentle", "just the tip" and ofc "deep throat" and construct a custom blowjob
Then you could *email* that blowjob to someone! How awesome is that?! All they would have to do is click on the link and they could experience your lovingly crafted blowjob!
But alas by dear tweeter they fun was not to last...for you see that link that they constructed contained a base64 encoded json representation of the blowjob...
So...if one did not wish to be encumbered by the restrictions of predefined actions one could simply edit the json and have access to the whole universe (of connected toy fidelity) blowjobs.
But it gets worse my dear tweeter.
For you see...you could also include a title for your blowjob, because as we know all good blowjobs deserve a name.
Sadly... no one had bothered to ponder what might happen should said name contain less that desirable characters and what would happen if these characters were to just be rendered on the page.
I will leave you to ponder the consequences of having an XSS vulnerability on a page with no framebusting and preauthed connection to a robot wrapped around or inside someones genitals...
But anyway they fixed it by encoding literally everything and now their blowjob builder doesn't work at all.
I have no idea what the timeline was to fix the blowjob injection attack...I reported it in March...and I think I checked it again in May and it was still working...it got fixed sometime between May and October.
This is a good question.

I discovered it while on a mission to download as many blowjobs as I could from the internet.

Because I was trying to prove Blowjob Fingerprints are a thing.

I'm still working on that research.
I say "I'm still working on it"...I have a half a "blowjob analytics device" built and I'm waiting on time, funding and energy to finish it off.
If you would like to help fund my blowjobs analytics device and further my o̶b̶s̶e̶s̶s̶i̶o̶n research on the possibility of deanonymizing people via blowjobs I have a patreon: patreon.com/sarahjamielewis
This is as far as I got with blowjob fingerprinting from downloaded blowjobs...lots of blowjob graphs.
Since I downloaded most of those blowjobs without permission....is distributing a graph of them technically pirating?
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Sarah Jamie Lewis
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @SarahJamieLewis see all

Profile picture
Since I keep answering the same "but why don't you just..." questions about this topic, let me take a thread to explain why your "clever" ad-hoc border encryption solutions don't work and why we need better solutions in this space.
First a little prelude: In the real world sometimes people need to bring data from one jurisdiction to another, and often this rubs the powers-that-be the wrong way and they get some silly ideas about denying basic human rights.
The threat models are varied, but we generally approach real world cases with the following success criteria:

* Getting through unhindered
* Getting turned away at the border
* Forcing better civil norms (courts / warrants / lawyers etc.)
Read 18 tweets
Profile picture
Regular reminder: The telecom network is a giant tracking system and the number of people who can gain access to subscriber data is practically unlimited.

Source: this used to literally be my job.
I've been reminded of a few concepts recently and it's becoming very clear that I've forgotten more about the inner workings & implementation details of telecom protocol stacks than most people will ever know.
The vast majority of reporting on privacy issues in telecom systems painfully mischaracterize the technology & conflate different issues, despite that they generally understate the privacy problems.
Read 24 tweets
Profile picture
The world makes little sense anymore because we live within systems that have become detached from the systems they exist in which themselves have become detached from the systems they exist in...somewhere in that stack of systems is the physical world we want to understand.
To further complicate, many of those systems have provided tangible material benefit to many (often at the expense of others). The systems are no less real than the physical world because they operate over the physical world.
Our current economic & political ridiculousness is, in part, a failure of neoliberalism, itself a detachment from classical "money" economics, which is itself a detachment from the resource-limited world we live in. All a gross simplification of history, circumstance and power.
Read 11 tweets

Related threads

Profile picture
(1) 3.45am ET update. It's 9.45pm here in NZ but I'm pretty tired. Didn't plan to delve deeply into the incoming House results, foolishly assuming the usual info sources would be reasonably accurate but, I think the fakery & bias went up a notch this time. So it's been chaotic.
(2) This website has a few updating issues but for argument's sake, let's assume it's currently the most accurate.

As of this moment they have Ds at 214, Rs at 190, and 31 not called.

results.decisiondeskhq.com
(3) That's a gap that's looking unassailable rn BUT I want to remind y'all that at 9pm, 11pm, and 1am that was in no way clear or sure enough to have called it for the Ds.

Further, there will be some recounts. Probably not enough to make the difference, but important to do.
Read 26 tweets
Profile picture
1/ There are so many parallels between directing and novel writing. A short thread as I watch a few lessons on Ron Howard’s Masterclass on directing...
2/ First off, I’ll just say that Ron Howard, as I’ve generally seen him in interviews in the past, comes across as a very humble, personable man. And in his Masterclass, he’s sharing a lot of hard-earned knowledge, and complex topics, in a way that’s easy to digest.
3/ It’s interesting to look at the director, as opposed to the screenwriter, since the director no only has ultimate say over the script, but many other aspects of the film. They bring a vision, of which the script is only a part.
Read 27 tweets
Profile picture
Unfortunate to hear the news about Cassie and Diddy breaking up.

Not sure what her lifestyle has been like.

But, if she’s looking for a guy with a one bedroom apartment, 30 days of paid vacation, 0 investment properties, 0 jewelry, and occasionally orders takeout
CASSIE: Kyle, I’ve got to say. I wasn’t sure where we’d be going for dinner. But, Eleven Madison is one of my favorite places in this city. I love it here.

ME, having checked my bank app 30 times: Oh. This place? Yeah, it’s cool.
SOMMELIER: Ah, Miss Ventura. So wonderful seeing you again! Your usual bottle of wine?

CASSIE: Yes, please.

SOMMELIER: Two as always?

CASSIE: As always! 😘

ME:
Read 12 tweets
Profile picture
Ok, I am going to tell the story of one of my favorite bugs. It's gonna be kind of long and it is about a decade old so some of the details might be fuzzy.

If you figure it out or have heard this story before, please no spoilers.
There are a lot of things to take away from the story but one of the most important and most relevant is that high-fidelity event logs available in a structured and queryable format are vital for diagnosing seemingly undiagnosable bugs.
About 10 years ago MochiMedia rolled out a virtual currency called "MochiCoins". It was intended to be a multi-game virtual currency that could be bought for real money and used to buy in-game assets (including sometimes fungible in-game currency.)
Read 64 tweets
Profile picture
I just got back from seeing "The Last Jedi," and it feels like it delivered on the promise of the original more than any movie in the series. But I also think many of the analyses of it (esp the ones around masculinity) missed half the story. (Spoilers follow: mute if you want)
Each of the characters felt like they were following a very different arc, and trying to combine all of them into a single story misses many of the best parts.
Poe is the one following the classic "masculinity" thread: he spends a great deal of the movie being a hazardous idiot, more concerned with glory and "doing something" than with thinking through consequences.
Read 42 tweets
Profile picture
Women are going silent on Twitter. I don't want to do that. Instead, I'm going to tell you the story of my harassment. #onewomansstory 1/
I assume I'm going to get harassed for it, but I'm doing it anyway. Which is basically the story of my life. So let's go. #onewomansstory 2/
When I was 6, my friend's older brother showed me his penis and said that if I told anyone, he'd kill my family. I believed him. 3/
Read 62 tweets

Trending hashtags

#TrustThePlan #Twitter #movements #Ukraine #medtwitter #Oath #ActuallyAutistic #fundraising #SenateRedWave #Entertainment #Military #Skininthegame #Bullying #USA #AirForce #EnjoyTheShow #Fundraising101 #womeninmedicine #Hamilton68 #WarrenBuffet #Democrats #Facebook #WeAreData #Schiff #OathOfOffice

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!