Cute.
11.09.2025 02:37
π 1
π 0
π¬ 1
π 0
Cute.
Happy New Year - here's what happened with Flirtual in 2024! π
Almost every other week I find a new platform with severe issues. Most however encourage responsible disclosure, unlike Avatown.
It's horrifyingly common.
I'm pretty sure they pulled the site after my post (also posted to Twitter) and others began exploring the vulnerabilities.
It's a platform's responsibility to ensure the safety and security of its users' information. Don't make the same mistakes as Avatown.
This is just the tip of the icebergβthese issues were discovered within only 20 minutes of visiting the site.
If a malicious actor stumbled upon this, or if I had spent more time investigating, I'm confident I would uncover an entirely new trove of vulnerabilities.
JSON payload
Avatown has a approval process in-place for new products, which is perfect for preventing spam & malicious listings.
But, you can just update your own product's `isApprovedByAdmin` field to true, bypassing this protection entirely.
Buying any product for free
Did you know everything on Avatown is free?
When creating an order, your client sends a request to /api/v1/order/makeStripePayment, which would be fine, except for the fact that you provide which product you want & the price of it.
Server-side validation, what's that?
XSS injection, arbitrary code execution.
An issue I test for quite often on platforms, and a fairly severe one at that. This vulnerability lets you redirect visitors, steal credentials & personal information.
Spicy.
The culprit: goavatown.com
After reaching out and providing a responsible disclosure, they chose not to address the issues. Instead, they decided to remove me from their platform and community.
So, logically, a public disclosure is next.
Too often, platforms neglect security & safety. These must be priorities.
Today, Avatown launched with major flawsβXSS, injection risks, and more.
Letβs dive in π§΅
I love cheesecake, can I have some?
Recently I opened the last PR needed to make my godot theme complete. It addresses the issue of missing backgrounds in sidebars. After this it will only need smaller improvements
github.com/godotengine/...
Thanks for using my theme β€οΈ
xrd?
Cloudflare Workflows is now in open beta! Workflows allows you to build reliable, repeatable, long-lived multi-step applications that can automatically retry, persist state, and scale out. blog.cloudflare.com/building-wor...
so real.
Walk faster bozo. π
Mexican Pizza
I have leftover pizza, but it was spicier than I could handle.
where's the stream
I'm so hungry π₯Ί
mmmm share?
Our #Spookality2024 winners are finally here!
Read our blog post to learn more:
hello.vrchat.com/blog/spookal...
i think its soo important to get the sky right if you want a place in vr to feel real. Stars especially just feel off most of the time, usually because they're way too bright or uniformly spaced out.
for most of my worlds I like to use star maps from NASA: svs.gsfc.nasa.gov/4851/
#MadeForVRChat
this thread is a wonderfully terse description of atproto
did u guys know theres a labeller for pronouns? if you sub to it youll see the pronouns of folks using it beneath their username on their posts! its pretty cool and very easy to set up @pronouns.adorable.mom
it does not π₯²
testing posts with external media links... do they embed...?
files.aries.fyi/2024/10/19/e...
@duinrahaic.app is my favourite bunny, no contest.
I still find myself scrolling X, missing a lot of the "Tech Twitter" content here.
