Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Technical write up by the security researcher at https://emily.id.au/tailscale

ps. she's looking an employer rn // hire her!



That article has so much more information in it that I've changed the URL to that from https://tailscale.com/security-bulletins/#ts-2022-004. Thanks!


I submitted it 7 hours ago, but it didn't get any traction with the original title https://news.ycombinator.com/item?id=33695800.


Ah sorry - we're eventually going to implement karma sharing to take care of cases like this. Often I search to see if someone else has already submitted the 'better' URL but I forgot to do that here.

There's a lot of randomness in which submissions get noticed and achieve liftoff from /newest. At least it evens out over time if you continue to post good submissions!


Always nice to see a vendor respond quickly and adequately. Even better when they go above and beyond, as seems to be indicated here by the timeline posted and the assessment of what fixes were put in place by the researcher(s). Good job Tailscale.


Very well written. Also quite worrying given they're supposed to be a security company and these kinds of issues are well known.

Then again it does seem like the entire universe applies "eh probably nobody will try and hack it" to services listening on local TCP interfaces.

They certainly don't care about multi-user machines, though I suppose there are so many local root exploits these days you're basically trusting your users anyway in that situation.


> Also quite worrying

Linux is used by by docent "security companies" and still has vulnerabilities from time to time. So does Apple in the products where their care about security, etc.

More important are three things to realize:

1. their handling of the incident, which wasn't just fast but you could say absurdly fast to a point that I'm pretty sure multiple employees dropped everything the moment they read the mail to solely focused on fixing and analyzing it

2. it's Windows only (at least it's main problem is), coming from a workaround for a feature "missing" in windows from a company which is relative young and started out in the Linux/UNIX space.

3. it is exploitable due to a fundamental design flaw of browsers

Or what I'm trying to say: It isn't that surprising (or worrying) that such a thing happened, what matters is how they handle it and make sure that it will not happen again.


> a feature "missing" in windows

It's not missing. Windows has named pipes. They just don't use the same API as Unix sockets so you would have to do some work to do it properly (or use an existing library that abstracts both interfaces).

In any case Windows has had support for Unix sockets since 2017 so there's really no excuse.

> Linux is used by by docent "security companies" and still has vulnerabilities from time to time. So does Apple in the products where their care about security, etc.

Right but neither of them are companies whose sole product is a security product.

I agree their response time is good - they probably realised how bad it looks!


Well, since tailscale doesn't auto update, it doesn't matter how fast the response is. Updating it will take a long time anyway.


sounds like tailscale should


that would be a really cool outcome (tm)


can you DM me her email? I can't find it anywhere and I'd love to start a chat with on a security position at my work.


Have passed your comment over to her. The website has been updated with an email address.


Thanks!


Best exploit write up I’ve read. All the details, interspersed with nonchalant humor.

“None of these words are in the Bible.

This is certainly true of the King James Version, but many of these words can be found in what might as well be the Old Testament of Same-Origin Policy: the WhatWG Fetch Standard, which defines the CORS rules we are being accused of violating.”


no love for our homie Jamie, Geoffrey?


where does she say she is looking for an employer? Would be worthwhile to start a conversation with her.


Em interned with me earlier this year. Have passed the threads over to her.


The quality of her writing is wonderful, clear, to the point, funny and of course all the technical details are well explained. For a non native English reader like me (I am French), a real pleasure to read. You can congratulate her!





Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: