Hacker News: ylk

AI agents imperiled by critical vulnerability in open source package

ylk — Tue, 26 May 2026 21:34:29 +0000

Article URL: https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/

Comments URL: https://news.ycombinator.com/item?id=48286296

Points: 7

# Comments: 0

New comment by ylk in "BadHost – CVE-2026-48710: Starlette Host-Header Auth Bypass"

ylk — Tue, 26 May 2026 09:15:45 +0000

The URL was meant to be https://badhost.org, the site accidentally still has the old canonical meta tag.

BadHost – CVE-2026-48710: Starlette Host-Header Auth Bypass

ylk — Tue, 26 May 2026 09:07:18 +0000

https://arstechnica.com/information-technology/2026/05/milli...

Comments URL: https://news.ycombinator.com/item?id=48277107

Points: 114

# Comments: 41

New comment by ylk in "Microsoft Edge stores all passwords in memory in clear text, even when unused"

ylk — Tue, 05 May 2026 12:17:34 +0000

You're correct, thank you. Sadly I can't edit my comment anymore. Sorry for the confusion.

New comment by ylk in "Microsoft Edge stores all passwords in memory in clear text, even when unused"

ylk — Mon, 04 May 2026 21:08:06 +0000

There are (illegal) marketplaces initial access brokers sell session cookies on. Some companies try to defend against that by e.g. checking whether it's even possible that you travelled from place A to place B within a certain timeframe and, based on that, might invalidate your cookie. But then again attackers, depending on their sophistication, find their ways around it by ensuring they proxy their traffic via geographically close residential proxies, use the same OS and browser versions, etc.

Google now wants to bind credentials to a device by storing the secret in the TPM: https://blog.google/security/protecting-cookies-with-device-...

New comment by ylk in "Microsoft Edge stores all passwords in memory in clear text, even when unused"

ylk — Mon, 04 May 2026 20:05:23 +0000

For reference, this is how Google says Chrome stores passwords encrypted in memory and uses an elevated service to prevent other processes from impersonating Chrome and gaining access to the plain text passwords: https://security.googleblog.com/2024/07/improving-security-o...

New comment by ylk in "I found a vulnerability. they found a lawyer"

ylk — Fri, 20 Feb 2026 22:25:29 +0000

This is not how CVEs work at all. You can be pretty vague when registering it. In fact they’re usually annoyingly so and some companies are known for copy and pasting random text into the fields that completely lead you astray when trying to patch diff.

Additionally, MITRE doesn’t coordinate a release date with you. They can be slow to respond sometimes but in the end you just tell them to set the CVE to public at some date and they’ll do it. You’re also free to publish information on the vulnerability before MITRE assigned a CVE.

New comment by ylk in "GrapheneOS – Break Free from Google and Apple"

ylk — Tue, 17 Feb 2026 12:24:08 +0000

> The baseband can do a lot, it has dma

There's an IOMMU:

> Is the baseband isolated? > Yes, the baseband is isolated on all of the officially supported devices. Memory access is partitioned by the IOMMU and limited to internal memory and memory shared by the driver implementations. [...]

https://grapheneos.org/faq#baseband-isolation

> GrapheneOS cannot really influence this, but hardened_malloc could conceivably help.

They can and do, see above. But I don't see how hardened_malloc is related to the baseband doing DMA.

New comment by ylk in "RediShell: Critical remote code execution vulnerability in Redis"

ylk — Tue, 07 Oct 2025 09:20:16 +0000

fwiw, they're using CVSSv3. In CVSSv4, it's probably an 8.7: https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L...

New comment by ylk in "Google: 'Your $1000 phone needs our permission to install apps now' [video]"

ylk — Sun, 31 Aug 2025 14:39:22 +0000

> Android 16 no longer provides device trees for Pixels as part of the Android Open Source Project. It's important to note it doesn't provide those for any other devices. There are no other OEMs providing similar AOSP support. [...]

by strcat, Graphene OS founder https://news.ycombinator.com/item?id=44679100

New comment by ylk in "Blurry rendering of games on Mac"

ylk — Fri, 15 Aug 2025 08:37:57 +0000

The screen is a 16:10 screen with some extra pixels added next to the notch. By default, the system uses a resolution of 1512x982 (14"), which you can change to 1512x945 (16:10) to move the menu bar below the notch and end up with black pixels next to the notch.

New comment by ylk in "Containerization is a Swift package for running Linux containers on macOS"

ylk — Tue, 10 Jun 2025 13:09:30 +0000

You don’t have to assume, the docs in the repo tell you that it does run a Linux kernel in each VM. It’s one container per VM.

New comment by ylk in "Quarkdown: A modern Markdown-based typesetting system"

ylk — Tue, 03 Jun 2025 18:43:01 +0000

Not trying to argue that this happens regularly, but some recent (last 6 months or so) minted update contained breaking changes.

New comment by ylk in "Homomorphic encryption in iOS 18"

ylk — Wed, 15 Jan 2025 14:07:27 +0000

> a feature that can only be appreciated by a subculture of people (privacy advocates)

Just because it can’t be “appreciated” by all users doesn’t mean it’s only “for” a small sub-group.

It seems to me they’re just trying to minimise the data they have access to — similar to private cloud compute — while keeping up with the features competitors provide in a less privacy-respecting way. Them not asking for permission makes it even more obvious to me that it’s not built for any small super privacy-conscious group of people but the vast majority of their customers instead.

New comment by ylk in "A mole infiltrated the highest ranks of American militias"

ylk — Sat, 04 Jan 2025 20:35:13 +0000

What you write sounds plausible at first, but then there’s this example from the German KSK:

„In 2018, the German Federal Criminal Police Office uncovered a plot involving unknown KSK soldiers to murder prominent German politicians such as Claudia Roth, Heiko Maas and Joachim Gauck among others, and carry out attacks against immigrants living in Germany.[7] Also, earlier that same year in a separate investigation, the State prosecutors in the city of Tübingen investigated whether neo-Nazi symbols were used at a "farewell" event involving members of KSK.[8][9]

In June 2020, German defence minister Annegret Kramp-Karrenbauer announced that the unit would be partially disbanded due to growing far-right extremism within the ranks.[10] The KSK had become partially independent from the chain of command, with a toxic leadership culture. One of the force's four companies where extremism is said to be the most rife was to be dissolved and not replaced.[11]“

https://en.m.wikipedia.org/wiki/Kommando_Spezialkr%C3%A4fte

New comment by ylk in "Passkey technology is elegant, but it's most definitely not usable security"

ylk — Mon, 30 Dec 2024 17:06:55 +0000

It’s recommended to have at least two anyway, to still have access to your accounts in case one is lost. That means you can keep one key at your desktop and you’d only need to go up to get your keys when adding them to an account.

New comment by ylk in "A Tour of WebAuthn"

ylk — Thu, 26 Dec 2024 23:24:33 +0000

I agree that it's annoying that there's now a limit on the amount of credentials you can store on hardware keys. But while older Yubikeys only support 25 resident keys, models with firmware 5.7 onwards support 100. That probably makes it feasible to exclusively store passkeys in hardware. https://www.yubico.com/blog/empowering-enterprise-security-a...

However, I don't know whether it's possible to delete only a single resident key you no longer need.

New comment by ylk in "A Tour of WebAuthn"

ylk — Thu, 26 Dec 2024 23:07:42 +0000

Just use a password manager that doesn't sync by itself then

https://keepassxc.org/docs/KeePassXC_UserGuide#_passkeys

New comment by ylk in "Microsoft Confirms Password Deletion for 1B Users"

ylk — Wed, 18 Dec 2024 08:29:54 +0000

I’m saying most people who do phishing likely don’t care to implement passkey detection to display a relevant error message to the user, as it’s not worth the effort, as of now

New comment by ylk in "Microsoft Confirms Password Deletion for 1B Users"

ylk — Wed, 18 Dec 2024 08:28:56 +0000

There are syncable and hardware-bound passkeys and you are free to use a password manager that syncs your passkeys. iPhones don’t even let you create a passkey with the built in password manager if you have synchronisation disabled. I don’t know for sure if Google does the same but I expect them to.

If you’re remembering all your passwords there’s a good chance they’re terrible, you frequently re-use them or both. That really helps attackers e.g. when they use leaked passwords to run credential stuffing attacks on your employer.

You just wrote two comments bashing a technology you admit you didn’t properly educate yourself about.