Good example. It’s true that an even a GET request not designed to mutate data might still fail to validate input, allowing a SQL injection attack or other attack that escalates to the privileges that the running app has.
Good example. It’s true that an even a GET request not designed to mutate data might still fail to validate input, allowing a SQL injection attack or other attack that escalates to the privileges that the running app has.
Immich has a whole set of end-to-end automated tests to ensure they don’t accidentally make public any URLs they went to be private:
https://github.com/immich-app/immich/tree/main/e2e/src/api/specs
As a popular open source project, that would be e glaring security hole.
Using this proxy puts the trust in a far less popular project with fewer eyeballs on it, and introduces new risks that the author’s Github account is hacked or there’s vulnerability in he supply chain of this docker container.
It’s also not true that you “never need to touch it again” . It’s based on Node whose security update expire every two years. New image should be built at least every two years to keep to update with the latest Node security updates, which have often been in their HTTP/HTTPS protocol implementations, so they affect a range of Node apps directly exposed to the internet.
Yes, there are broken uses of the HTTP protocol verbs where filtering to GET won’t work.
A simpler way to protect a private service with a reverse proxy is to only forward HTTP GET requests and only for specific paths.
It’s extremely difficult to attack a service with only GET requests.
The security of which URLS are accessible without authentication would be up to immich.
Although, If I have my own Amazon referral link in my blog post and they replace the referral code in their feed, I would not be happy about that.
They could be injecting their own ads or affiliate links into the content.
For example, if a post links to Amazon.
I have not looked at the source code.
The story hypes this to be a bit more than this is.
Framework sent a laptop to the lead Mint dev. He’s going to try make sure it works well with Mint, but it already does.
The more low key framing straight on the Mint blog is here:
WhatsApp is a Meta business unit, yes.
And it has its own rules and policies for what is shared with other Meta business units.
Google has spell out the same. Just because you provide data like location to one Google service doesn’t automatically mean every other Google service can access it.
And they can’t just change their internal data policies however they like as some of this is governed by legal regulations.
Here’s a a story about how Google is not allowed to share data across business units without user consent, at least in the EU.
https://www.theverge.com/2024/1/12/24036312/google-digital-markets-act-services-user-data-opt-out
Here WhatsApp spells out what it shares with Meta:
I love that a Twitter founder founded Bluesky and the logo went from the outline of a white bird on a blue background to the outline of a white butterfly on a similar shade of blue background.
It’s reasonable not to trust them, but they could get in serious legal trouble if they are claiming the data is encrypted and they can’t access when in fact they can.
WhatsApp has a different business model. There are a lot of businesses on the platform and businesses are charged to do business messaging with users.
In some parts of the world WhatsApp has become a somewhat essential part of life so plenty of businesses what to participate and access the users there.
How Meta got into that position involved zero-rating— a practice where they work with ISPs to make sure there are no data fees to access WhatsApp.
While free seems good, the practice allowed WhatsApp to quickly dominate, crowd out competitors and make itself essential.
https://www.humanrightspulse.com/mastercontentblog/is-zero-rating-a-threat-to-human-rights
“What makes a zero-rating practice, like that of WhatsApp in Brazil, particularly threatening to human rights is when it is the only economically viable option for internet access in a society. In Brazil, as an internet connection can swallow up to 15% of the household income, users rely on these practises. As Professor Belli points out that economically, no other opportunity exists to assess the information being presented.”
No. The Signal app offers similar functionality to WhatsApp core features and is open.
Where is the evidence of Meta mining WhatsApp metadata?
Meta acquired WhatsApp and somehow hasn’t messed it up yet. WhatsApp has always been fairly good with privacy and doesn’t share much with other Meta apps as far as I’m aware.
That is what the article is explaining. The contact names and details are encrypted.
Perhaps the call times are exposed but it seems it would be difficult or impossible for them to connect this with a human identity.
Use Signal if you have concerns about WhatsApp.
They cannot see phone numbers of contacts, no.
Is this deshittification?
They already are.
We do need bees, but that doesn’t mean the honey industry is sustainable.
https://www.greenmatters.com/p/how-honey-industry-affects-environment
I had a friend who liked to sulk around in a trench coat. He bought a grocery store donut and promptly tossed the receipt.
He was soon stopped by grocery security for theft. After some hassle they tracked down his receipt and let him go, but yeah that’s what donut receipts are for.