Try "ssh http://whoami.filippo.io " now think "What if that server automatically grabbed key and logged into work." Today's bug: baaaaaaaad.
@sean_a_cassidy Attacker roots your WP blog or side project on DO. Attacker replaces SSH w/ EvilSSH, which steals keypair when you connect.
-
-
@sean_a_cassidy They then use a public-key-to-Github-account reverse lookup and try your private key on any site they can find from Github. -
@sean_a_cassidy This all happens in milliseconds without any human intervention required. Someone may get pinged when they get a new shell. - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.