Ah sorry - we're eventually going to implement karma sharing to take care of cases like this. Often I search to see if someone else has already submitted the 'better' URL but I forgot to do that here.
There's a lot of randomness in which submissions get noticed and achieve liftoff from /newest. At least it evens out over time if you continue to post good submissions!
Always nice to see a vendor respond quickly and adequately. Even better when they go above and beyond, as seems to be indicated here by the timeline posted and the assessment of what fixes were put in place by the researcher(s). Good job Tailscale.
Very well written. Also quite worrying given they're supposed to be a security company and these kinds of issues are well known.
Then again it does seem like the entire universe applies "eh probably nobody will try and hack it" to services listening on local TCP interfaces.
They certainly don't care about multi-user machines, though I suppose there are so many local root exploits these days you're basically trusting your users anyway in that situation.
Linux is used by by docent "security companies" and still has vulnerabilities from time to time. So does Apple in the products where their care about security, etc.
More important are three things to realize:
1. their handling of the incident, which wasn't just fast but you could say absurdly fast to a point that I'm pretty sure multiple employees dropped everything the moment they read the mail to solely focused on fixing and analyzing it
2. it's Windows only (at least it's main problem is), coming from a workaround for a feature "missing" in windows from a company which is relative young and started out in the Linux/UNIX space.
3. it is exploitable due to a fundamental design flaw of browsers
Or what I'm trying to say: It isn't that surprising (or worrying) that such a thing happened, what matters is how they handle it and make sure that it will not happen again.
It's not missing. Windows has named pipes. They just don't use the same API as Unix sockets so you would have to do some work to do it properly (or use an existing library that abstracts both interfaces).
In any case Windows has had support for Unix sockets since 2017 so there's really no excuse.
> Linux is used by by docent "security companies" and still has vulnerabilities from time to time. So does Apple in the products where their care about security, etc.
Right but neither of them are companies whose sole product is a security product.
I agree their response time is good - they probably realised how bad it looks!
Best exploit write up I’ve read. All the details, interspersed with nonchalant humor.
“None of these words are in the Bible.
This is certainly true of the King James Version, but many of these words can be found in what might as well be the Old Testament of Same-Origin Policy: the WhatWG Fetch Standard, which defines the CORS rules we are being accused of violating.”
The quality of her writing is wonderful, clear, to the point, funny and of course all the technical details are well explained. For a non native English reader like me (I am French), a real pleasure to read. You can congratulate her!
ps. she's looking an employer rn // hire her!