Some time ago I recorded a slow motion clip of myself picking a cut-away lock.
This kind of lock is used for lock picking practice, as it lets you see the pins
and springs that make the lock work.
In this clip we can see the racking method. Racking a lock is the Rambo approach
to non-destructive lock picking: You jam a racking pick into the lock (half
diamond, snowman, saw… Pretty much any pick but a hook) and move it around;
you play with the force applied in the tension wrench until all the pins lock in
This technique works beautifully here because we don’t have any security pins
in the lock. Security pins usually require a more precise approach and need to
be carefully picked pin by pin.
This is the same video at real time speed. As you can see, the whole process is
Explaining the video
Too much pressure in the tension wrench caused the first pin to overset (the lower
part of the first pin got stuck between the cilinder -the piece that turns when
the lock is opened- and the case).
After reducing the force applied in the wrench we can see the pin drop and lock
into position. The lock is now ready to be opened.
Some time ago, I was testing mbed’s USBMouse and USBKeyboard, and used
CookieClicker for the proof of
The idea of these libraries is that the microcontroller will tell the computer
“Hey, I’m a mouse” or “I’m a keyboard”, and we will program it to send the key
presses or movements we want. This can be used for all kinds of reasons, such as
security attacks: “Hey, I’m a keyboard. Launch the terminal, execute these
commands, close the terminal.”, but it can also be used for fun. Here, the mbed
will identify itself as a mouse, and send tons of left clicks without any delay
Thanks to the mbed’s libraries, you don’t need to configure the low level stuff
for USB communication, and the code is as simple as this:
And here’s a video of the device in action:
Note: The computer does not actually lag like in the video. That was because of
the screen-recording software.
For the sake of keeping this post short, I’m not going to post schematics, but
it’s a really simple circuit: The switch is connected between the pin p5 and
Vout, and the USB was an old USB cable cut in half, soldered to some header
pins, and connected to the mbed’s USB pins as explained
In my quest for fun, I also wrote a program with the USBKeyboard library to send
the key presses 0 to 9 time and time again. I replaced the switch with a button,
started a StarCraft 2 game, created 10 random control groups, and kept the button
pressed a few times during the beginning of the game. This way, we can inflate
our APM (Actions Per Minute) automatically. Here is the result:
I’ll have to try it again, pressing the button during much more time (That 736
APM is just the average APM for all the game), just to see how high it can go.
Could it be possible to overflow a variable somewhere? We’ll see…
For those of you who don’t know it, “memondo network” is the spanish company
behind a bunch of websites for memes, funny gifs, etc. And they have, according
to alexa, a quite large amount of traffic (a couple of their sites being in the
top 3000 and in the spanish top 200).
Well, a couple of days ago I found an XSS vulnerability in their search system
with a curious attack vector, so let’s take a look at it:
The vulnerable pages were http://www.$(SITE).com/buscar/0/
When you tried to search something -“DEVDEV” in our example- this GET request
was sent: http://www.cuantocabron.com/busqueda/0/devdev
After playing a bit with the search parameter, the first output of the value
(displayed to the user) seemed to be properly filtered, but the page navigation
buttons -prev, next- were not, so we should be able to inject code there:
But that injection is tricky… The vulnerable parameter is a link, and it’s
being processed by the server before echoing it to make it URL-friendly, which
means that any space would become %20 and any slash would screw the attack up.
That implies that you could get the code executed when you decoded those values
manually in the source code, but that would not be a feasible attack.
As far as i got, I could not get a way to bypass that problem, so I had to think
about a different attack vector… I couldn’t use tags with parameters (because
of the space between the tag name and the first attribute) and I could not inject
a script because of the slash in </script>, so…. What about adding attributes
to the tag being injected?
It was dirty, it was anything but subtle and it required another step of social
engineering, but it did work and it might fool someone out there. Here’s a quick
example of how it could be done:
And when the victim’s mouse hovers over the link…
And that’s as far as I got. I did not wait to have anything prettier or better
and just reported it like that. I sent the email yesterday at 22.12, they were
very friendly about it and it had already been fixed by 12.00 today, so good job
on their part :)
This is a common error while working with Qt (and C++ in general). You will write
some code, compile it without errors or warnings and when you run the application
it will crash and throw a “The program has unexpectedly finished.” in the
The most common cause of this is using an object you have declared a pointer for
but have not allocated.
This piece of code will make the application crash:
But this one won’t:
The first example is obviously wrong, but it’s easy to forget the memory
allocation when the code starts getting longer.