Profile picture
Sarah Jamie Lewis @SarahJamieLewis
, 20 tweets, 3 min read Read on Twitter
Twitter, I am feeling a bit down, and so I am going to tell you a story of one of my favorite vulnerability discoveries...I've just checked, it's been fixed (kinda)...

Let me tell you about the case I call: The Blowjob Injection Attack
Ok...so, as I am sure you are all aware from your regular internet browsing, cam and porn sites are all about Virtual and Augmented reality these days.
If you are fortunate enough to be able to afford a connected device you now have a myriad of sites who will helpfully deliver sexy hands free fun times right to your genitals while you watch your porn.
So there is a cam site, I won't name them cause I'm nice, who decided to get in on the virtual blowjob business.
Like many sex companies they decided to be innovative, forward thinking...I mean it's a competitive space.....
So they built a Build Your Own Blowjob feature, it was actually pretty cool you could select different predefined actions like "gentle", "just the tip" and ofc "deep throat" and construct a custom blowjob
Then you could *email* that blowjob to someone! How awesome is that?! All they would have to do is click on the link and they could experience your lovingly crafted blowjob!
But alas by dear tweeter they fun was not to last...for you see that link that they constructed contained a base64 encoded json representation of the blowjob...
So...if one did not wish to be encumbered by the restrictions of predefined actions one could simply edit the json and have access to the whole universe (of connected toy fidelity) blowjobs.
But it gets worse my dear tweeter.
For you see...you could also include a title for your blowjob, because as we know all good blowjobs deserve a name.
Sadly... no one had bothered to ponder what might happen should said name contain less that desirable characters and what would happen if these characters were to just be rendered on the page.
I will leave you to ponder the consequences of having an XSS vulnerability on a page with no framebusting and preauthed connection to a robot wrapped around or inside someones genitals...
But anyway they fixed it by encoding literally everything and now their blowjob builder doesn't work at all.
I have no idea what the timeline was to fix the blowjob injection attack...I reported it in March...and I think I checked it again in May and it was still working...it got fixed sometime between May and October.
This is a good question.

I discovered it while on a mission to download as many blowjobs as I could from the internet.

Because I was trying to prove Blowjob Fingerprints are a thing.

I'm still working on that research.
I say "I'm still working on it"...I have a half a "blowjob analytics device" built and I'm waiting on time, funding and energy to finish it off.
If you would like to help fund my blowjobs analytics device and further my o̶b̶s̶e̶s̶s̶i̶o̶n research on the possibility of deanonymizing people via blowjobs I have a patreon: patreon.com/sarahjamielewis
This is as far as I got with blowjob fingerprinting from downloaded blowjobs...lots of blowjob graphs.
Since I downloaded most of those blowjobs without permission....is distributing a graph of them technically pirating?
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Sarah Jamie Lewis
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!