@kivikakk @0xabad1dea GitHub doesn't try very hard to prevent repo existence checks or so either, and their bug bounty excludes them
@0xabad1dea @kivikakk trigger a download in the victim's browser, I mean. the mitigation would be to add a CSRF token to the archive DL link
-
-
-
@0xabad1dea@kivikakk they could solve it by sticking CSRF tokens on everything, but that might break some usecases, I don't know
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.