So I reverse engineered two dating apps...

And I got a zero-click session hijacking and other fun vulnerabilities

In this post I show some of my findings during the reverse engineering of the apps Coffee Meets Bagel and The League. I have identified several critical vulnerabilities during the research, all of which have been reported to the affected vendors. Introduction In these unprecedented times, more and more people are escaping into the digital world to cope with social distancing. During these times cyber-security is more important than ever. From my limited experience, very few startups are mindful of security best practices.

Privomega: A Privacy-Preserving Random Stranger Chat Protocol (Sketch)

Like Omegle, but with more privacy, with provable randomness, E2EE, and more

⚠️ This is a work-in-progress sketch. Introduction Omegle is the one of the first stranger chat services. To quote from their website: Omegle (oh·meg·ull) is a great way to meet new friends. When you use Omegle, we pick someone else at random and let you talk one-on-one. To help you stay safe, chats are anonymous unless you tell someone who you are, and you can stop a chat at any time.

Cross-IPFS-site scripting

IPFS vs same-origin policy

Introduction These days, browsers are pretty secure, and some are even privacy conscious (Firefox, Brave) that block third party trackers by default. But today’s browsers are ultimately designed for HTTP, not IPFS. And they have a different threat model in mind. All the sites on IPFS are served from the same origin as the gateway, which has some interesting implications for privacy and security. How IPFS gateway works IPFS gateway is a web server that connects to some IPFS node daemon.

Privacy Issues and Concerns on Ethereum Network Layer

Or, why not to use Metamask (with default settings)

Introduction Ethereum’s network layer, or more precisely devp2p (or libp2p) while providing encryption and authentication, does not necessarily give user anonymity or privacy. In this post I will point out some of the privacy issues, and potential attacks to de-anonymize Ethereum account owners (i.e. associating an Ethereum account address with the IP address of its owner). For simplicity we do not consider anonymity networks during attack like Tor or I2P, although they will be discussed in the Mitigation section.

Blogging on IPFS

With Hugo, IPNS, dnslink, and Cloudflare IPFS gateway

A little fun fact about this site This blog is a static site generated by Hugo, hosted on IPFS. I personally run an IPFS node, and the files are pinned on my node. If you came here though your own IPFS gateway, then congrats! You already know where this is going. Otherwise, keep reading and I’ll explain the entire setup of the site. The site lives permanently by the IPNS name /ipns/QmTctHYiuy3LXguP5jBP4DJAmnCD22gQbBAV24wH394vSs https://push32.

Ethereum State Channel Games - Part 1

State Serialization and Fastforward Consensus

In the first part of this state channel tutorial / demonstration, we’ll explore some simple use cases for turn based games like tic tac toe or chess. I’ll skip the basics — if you don’t know what a state channel is or does, please read up about them before moving on. Furthermore, this article aims to be a conceptual guide on implementing state channel, without much copy-paste code. If you are looking for an easy-to-use state channel framework, I am shamelessly self promoting my OpenArcade game engine which comes with state channel support without requiring much effort from game developers.