Modifying Telegram's "People Nearby" feature to pinpoint people's homes

One morning I woke up and found that Telegram implemented a new feature called “People Nearby”. If you choose to share your location publicly on Telegram, you’ll appear in a list for users who are physically close to you. Not only that, but they’ll also see just how far away you are down to the meter. However, you don’t need to share your own location in order to see where people around you are located. These are perfect prerequisites to find out just how accurate this feature really is and, more importantly, whether or not it can be used to find out where nearby Telegram users live.

Read more.

Steam's login method is kinda interesting

How do you send a password over the internet? You acquire a SSL certificate and let TLS do the job of securely transporting the password from client to server. Of course it’s not as cut-and-dry as I’m making it out to be, but the gist of it holds true and stood the test of time. This hasn’t always been this way though, and one incredibly popular storefront on the world wide web prefers to add a little extra to this day. I’ll be discussing Steam’s unique method of logging in their users, and go down a deep rabbit hole of fascinating implementation details.

Read more.

TryHackMe: Dave's Blog Writeup

Dave’s Blog is a room over at TryHackMe with a hard difficulty rating. Dave is ready to show his blog to the world, but he forgot to properly secure his super secret admin panel. After some NoSQL injection to bypass the admin login page, we’re able to send off code that is executed by a Node.JS runtime hosted on the server. The final step to root involves exploiting a binary in one of many possible ways thanks to return-oriented programming.

Read more.