@rebane2001@infosec.exchange avatar

rebane2001

@[email protected]

🇪🇪🏳️‍⚧️ | Archivist | 9 CVEs in Chrome | MapartCraft | Horse | rebane2001#3716 | Lyra 🦊

This profile is from a federated server and may be incomplete. View on remote instance

@rebane2001@infosec.exchange avatar rebane2001 , to random
@rebane2001@infosec.exchange avatar rebane2001 , to random

i just made something in css you people wouldn't believe

@rebane2001@infosec.exchange avatar rebane2001 , to random

self-hosting my S3 bucket the right way

A physical bucket with the Samsung Galaxy S3 phone in it
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

slides for my disobey talk out now!!

slide onwards is all new content, showing a real google pay attack/vulnerability through SVG filters, as well as a visualization on how the SVG filter QR code generator works

https://lyra.horse/slides/?#2026-disobey

Heartslides editor with the "Committing CSS Crimes for fun and profit" talk open on a slide demonstrating reed-solomon encoding though an SVG filter
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

roko's basilisk freaks me out but idk why cuz like i don't actually find the thought experiment itself scary

like, just the name "roko's basilisk" alone scares me, it would be just as scary if i knew nothing about it and someone told me the name

@rebane2001@infosec.exchange avatar rebane2001 , to random

Xikipedia, the Wikipedia doomscrolling "app", is now available as an actual app (PWA)!

Also:

  • fully available offline
  • algorithm saving/persistence (optional)
  • multiple profiles
  • light theme (optional)
  • full english wikipedia links (optional)
  • statistics screen

have fun!!

https://xikipedia.org/?2

Recording of the Xikipedia app on an iPhone. The app is opened, and scrolled through a tech-related feed. Then, the profiles button is pressed, displaying Default, NSFW, Pony, and Estonia. Estonia is tapped. More scrolling occurs, this time through an Estonia-related feed. Then, the statistics and settings screens are displayed. The app theme is changed to light theme.

rebane2001 OP ,
@rebane2001@infosec.exchange avatar

oh and to install it as an app, open the page, continue through the start screen, and tap the install button on the navbar

it installs as a PWA, so you don't need to get it from an app store or download apks

@rebane2001@infosec.exchange avatar rebane2001 , to random

so annoyed at apple for making ios impossible to make websites for

like how am i supposed to test the fact that my site crashes random iphones? it works fine on my iphone.. i can't emulate other iphones on my computer..

and then they don't allow you to use any other web browser

@rebane2001@infosec.exchange avatar rebane2001 , to random

lowkey best feeling ever is when somebody does view-source on my projects and tells me about something they found

@rebane2001@infosec.exchange avatar rebane2001 , to random

one of the things i lowkey hate is when people talk about my projects and say that they could never do anything like that themselves

like, half the reason i make stuff is to inspire people! i don't obfuscate or minify my code, i want you to view-source it!! create cool stuff!!

@rebane2001@infosec.exchange avatar rebane2001 , to random

i made a version of wikipedia you can doomscroll
https://xikipedia.org/

video/mp4

@rebane2001@infosec.exchange avatar rebane2001 , to random

shout out to all the news publications who link to my fedi instead of the other site

@rebane2001@infosec.exchange avatar rebane2001 , to random

i made an archery game that uses your charging cable as the controller

video/mp4

@rebane2001@infosec.exchange avatar rebane2001 , to random

hey fedi, im looking for some advice on masks

so sometimes i'd like to (or have to) wear a mask, but every time i do so for more than a few minutes it gets kinda bad - my nose clogs up, my face is covered in sweat, and my lips become chapped - and its pretty terrible for me sensory-wise

i've only ever tried disposable or basic masks though, so my question would be - are there any specific masks i should try out (i'm thinking maybe ones with a valve would be better), and are there any other ways to remediate the issues i'm having?

i don't like need a mask, but it would be nice if i had one with me i could comfortably wear if i want to

@rebane2001@infosec.exchange avatar rebane2001 , to random

wait wtf does bitwarden's bug bounty program not pay out any bounties??? like i can't find any monetary rewards on their hackerone page??

@rebane2001@infosec.exchange avatar rebane2001 , to random

i made a flappy bird clone that uses your folding phone as the controller

https://lyra.horse/fun/foldy-bird/

video/mp4

@rebane2001@infosec.exchange avatar rebane2001 , to random

The recording for my talk is out now!

You can watch "CSS Clicker Training: Making games in a 'styling' language" in English, German, and Latvian at https://media.ccc.de/v/39c3-css-clicker-training-making-games-in-a-styling-language

photo of me on the 39c3 stage
ALT
rebane2001 OP ,
@rebane2001@infosec.exchange avatar

my youtube upload of it (while i'm waiting for the official one)
https://www.youtube.com/watch?v=ipEkUJlvUQk

@rebane2001@infosec.exchange avatar rebane2001 , to random

calling svgs an attack vector is a diabolical pun

@rebane2001@infosec.exchange avatar rebane2001 , to random

my new blogpost is out!!

this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration

and i've already used it to get a google docs bounty ^^

have fun <3

https://lyra.horse/blog/2025/12/svg-clickjacking/

@rebane2001@infosec.exchange avatar rebane2001 , to random

>finds a nice view
>takes out laptop with vscode open
>takes a photo
>posts on social media
>"what's stopping you from coding like this"
>puts laptop away
>doesn't actually code like this

@rebane2001@infosec.exchange avatar rebane2001 , to random

did u know the 'qr' in qr codes is pronounced as 'queer'

@rebane2001@infosec.exchange avatar rebane2001 , to random

would u believe this queer made a qr code generator inside an svg filter

a QR code that reads "hi from svg!!! :3", next to devtools with various SVG filter elements visible
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

rare

Internal server error Error code 500 Visit cloudflare.com for more information. 2025-11-18 11:45:11 UTC You Browser Working Tallinn Cloudflare Error www.ycombinator.com Host Working What happened? There is an internal server error on Cloudflare's network. What can I do? Please try again in a few minutes.
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

i'm locked out of my hellsite account 😌

rebane2001 OP ,
@rebane2001@infosec.exchange avatar
@rebane2001@infosec.exchange avatar rebane2001 , to random

idk if i've ever posted here about my bliss keyboard

the keyboard itself is a WASD V3, but the keycap design is something fully custom i did myself

btw WASD Keyboards no longer exists, so that makes mine a bit more special

rebane2001 OP ,
@rebane2001@infosec.exchange avatar

the winamp section of the design actually subtly shows which key does what

(and yes, that is a sharex key above them)

image/png

rebane2001 OP ,
@rebane2001@infosec.exchange avatar

i've had it for like 5 years now, so i thought it would be fun to share a few pics of it here too :)

image/png
image/png
image/png

@rebane2001@infosec.exchange avatar rebane2001 , to random

what does this mean chat

my arm with a holographic 256MB sticker on it
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

huh, seems like discord had a breach or something of its support tickets?

(email from Discord) Hello, We’re reaching out to you because of a recent security incident on September 20 involving your personal data. Specifically, an unauthorized party gained limited access to a third-party customer service system used by Discord. We have confirmed that some of your personal data associated with your contact with our Customer Support or Trust & Safety teams was exposed in this incident. This may include: Your name, Discord username, email and other contact details if you provided them Limited payment information, including payment type, last four digits of your credit card, and purchase history if associated with your account IP addresses Messages and attachments sent to our Customer Support or Trust & Safety agents The incident did not include: Full credit card numbers or CCV codes Your physical address Your messages or activity on Discord beyond what you may have discussed with customer support or trust and safety agents Your Discord password or authentication data The ticket numbers impacted for your account were: [redacted]. You can use these ticket numbers to search for the relevant exchanges in your email account. As soon as we became aware of this incident, we followed our incident response procedures and took immediate steps to address the situation, including revoking the customer support provider’s third-party access to our ticketing system, launching an internal investigation, and engaging a leading forensics IT firm to support our inves
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

fastmail gotta have one of the most responsive bug bounties out there

i've previously had my vulns fixed in <36h and now i submitted another bug and that was fixed in 6h??

they also sponsor dompurify's bug bounty so that's cool as fuck

and they have the most fun css sanitiser!

Diff of two versions of the defangCSS.js file. There is too much text on the image to fit it into alt text, but i'll at least put the code comments here. Comment 1: White-list allowed characters. Animation names can contain arbitrary characters by using CSS escape sequences, such as \7d and the value is NOT escaped when you read it from the CSSOM. So if you write it straight back you can inject arbitrary CSS! We don't need to allow everything legal, so just allow a safe subset that should cover all normal use. Comment 2: When fetched from the `style` object, you get the raw text of CSS custom properties, so CSS escape sequences are preserved. However, once you use it via `var(...)`, it gets evaluated. This lets you smuggle through a URL. We can fix this by using styleMap instead, but this isn't available in Firefox yet and very few other mail clients support CSS custom properties, so for now let's just disable all support.
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

i've been trying to find a specific cohost css crime i remember seeing

it was this (horror?) story about some fictional site or name or something

and the crime was that the cohost logo was changed to that name using a position:fixed div

rebane2001 OP ,
@rebane2001@infosec.exchange avatar

Found it!!
https://web.archive.org/web/20250101070934/https://cohost.org/blackle/post/9653-septagram-internet

shout out to cervine.online for helping me remember the name of the post

@rebane2001@infosec.exchange avatar rebane2001 , to random

it's the "apple releases new stuff so they must delete the old promo videos" season again (they do this every time)

Apple - Apple Intelligence on iPhone in 5 minutes (https://youtu.be/PugKQZHPut8) Apple - Introducing iPhone 16 | Apple (https://youtu.be/GDlkCkcIqTs) Apple - Shot on iPhone 16 Pro | The Weeknd “Dancing In The Flames" (https://youtu.be/fE6XAeZfAsk) Apple - Introducing Apple Watch Series 10 | Apple (https://youtu.be/e6T34u51MaA) Apple - Mac mini Announcement - October 29 (https://youtu.be/TtFm9n3NVzE) Apple - Introducing the all-new Mac mini | Apple (https://youtu.be/JjpGvjy0Gxk) Apple - iPhone 16 Pro | All Systems Pro | Apple (https://youtu.be/fm0a4uFS08Y) Apple - Apple Intelligence | Email summary | iPhone 16 Pro (https://youtu.be/_eJy6QyHaFM) Apple - Introducing iPhone 16 Pro | Apple (https://youtu.be/eDqfg_LexCQ) Apple - iPhone 16 Pro | Slow motion in 4K 120 | Apple (https://youtu.be/Mk1_KbPuCUI) Apple - ICYMI — Apple Event Highlights (https://youtu.be/Oh79ZsPLo7U) Apple - 2030 Status | Mother Nature | Apple (https://youtu.be/QNv9PRDIhes) Apple - iPhone 16 Pro | 4K 120 fps | Capture | Apple (https://youtu.be/MnXdx_1V0lk) Apple - AirPods Pro | Adaptive Audio. Now playing. | Apple (https://youtu.be/ql6mhhHCldY)
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

las vegas

rebane2001 ,
@rebane2001@infosec.exchange avatar

@groupnebula563@cuddly.tube avatar groupnebula563 "+ antonymph benchmark" 😭

@rebane2001@infosec.exchange avatar rebane2001 , to random

honestly i love seeing how well my blogpost is doing on fedi vs the other app <3

i hope one day most of my audience will be here, cuz fedi is awesome!

@rebane2001@infosec.exchange avatar rebane2001 , to random

somehow i still keep learning new stuff about css

today i discovered that font-family: monospace; causes the text to become smaller!

you can get around this by doing font-family: monospace, monospace;

A few lines of text representing their css properties: font-family: sans-serif; (size is 16px) font-family: sans-serif, sans-serif; (size is 16px) font-family: monospace; (size is 13px) font-family: monospace, monospace; (size is 16px)
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

some of the cursors they have in inkscape are WILD

image/png

@rebane2001@infosec.exchange avatar rebane2001 , to random

the proton mail bug bounty rewards are incredibly low!?

if you're a greyhat with a data leak bug you're NOT gonna take the $200 from proton when you could make literally 100x that selling it to someone with questionable ethics that hates journalists

Reward amounts We reward security research that stays within the guidelines of the program. The size of the bounty we pay is determined on a case-by-case basis by our bug bounty adjudication panel. The amount they award is largely guided by the severity of the issue reported. Maximum bounty: $10,000 Minor server and web app vulnerabilities that do not compromise user data: $50 Low severity vulnerabilities that leak Personal information such as IP address: $50 Moderate severity vulnerabilities that may result in disclosure of personal secrets $200 Vulnerabilities that can lead to data corruption: $200 Vulnerabilities that can lead to the disclosure of encrypted user data: $1,000+
ALT
@rebane2001@infosec.exchange avatar rebane2001 , to random

this slider

video/mp4

@rebane2001@infosec.exchange avatar rebane2001 , to random

does anything on fedi actually use the circle u can set in the image alt text?

a recursive screenshot of the mastodon "add alt text" modal, with an arrow pointing at the circle thing in the middle that you can move around
ALT
rebane2001 OP ,
@rebane2001@infosec.exchange avatar

@aeva do u have any examples? i believe you, but i'm just looking for examples where i can actually see it in use

rebane2001 OP ,
@rebane2001@infosec.exchange avatar

@aeva tyy!

@rebane2001@infosec.exchange avatar rebane2001 , to random

lmao this is amazing, try opening the link, clicking on the laptop screen, and typing on your keyboard
https://developer.bbc.com/login-required

@rebane2001@infosec.exchange avatar rebane2001 , to random

it's finally time...

this is css clicker, a fully-featured incremental game where your goal is to design your own personal website and get as many views on it as possible

the fun part? it's a pure-css game, meaning it has zero javascript or server-side code.

have fun!

https://lyra.horse/css-clicker/

@rebane2001@infosec.exchange avatar rebane2001 , to random
People also search for: Trans jokes one liners Funny names for trans people Comedian trans joke Identity jokes Knock knock trans jokes Funny trans stereotypes Cisgender jokes Androgynous jokes
ALT