Remember, always validate your inputs.
Little Bobby Tables we call him.
Such great Exploits of a Mom: https://xkcd.com/327/
They had to change the law in the uk around naming companies!
Company SC656788 is still named ROBERT’); DROP TABLE STUDENTS; LIMITED
Beautiful! Whatever they’re selling, I’m buying!
I still can’t believe that comic is 15 years old now
This is awesome. We need more of this to help us fight the coming war
Whoops, the mask slipped and we all saw the bot behind it.
Mask slipped? The bot saw a person speak code and was like l, rips off mask Comrade!
Lol good point.
And then they were best friends. <3
🤜🤛
I think there’s a second mask. Who sends oops wrong person in the same text message?
Thought that seemed really cute. Nice way to try to break through social anxiety.
Then I saw that it started as a wrong number message. Then I realised…
Damn scam bots!
Modern version of this will be ChatGPT jailbreak messages
In the future, bots are going to get so annoyed with people pretending to be bots when they just want to talk to other bots!
why bother with the variations?
think they’re hoping to knock the same victim more than once?
messed up
Maybe it’s an attempt to evade automated systems that check for spam.
Probably a basic way to evade spam detection. If you start sending the exact same message to 500 people, most chat services will shut that shit down in an instant. But if you send unique messages, it makes you look more like a real person, and the chat system may let it slide.
What’s bad is that modern spam detection can employ semantic algorithms so it would still catch all of them as the I’m as message. The use of synonyms in the optionals is a huge vulnerability in the scam.
Well, it does not appear to be a terribly sophisticated system to begin with…
Touché
So that their fixed script isn’t so predictable that we can just nuke them by looking for identical conversations.
Could be to match the style of the target, to try and make the conversation feel more natural for them.
I would say more likely to get around bot protection.
How does this exploit work? I understand that inputs were not sanitized, but what did the injected code do?
My guess would be the response text is passed through a rudimentary templating engine that looks for
{and}. Somehow it must be processing the whole chat history. The templater fails at the unexpected braces in the code block and then just gives up (probably a try-catch ignores the error and sends the message anyway).So the attack would just be a
}then?
I don’t think the code is doing anything, it looks like it might be the brackets.
That effectively the spam script has like a greedy template matcher that is trying to template the user message with the brackets and either (a) chokes on an exception so that the rest is spit out with no templating processor, or (b) completes so that it doesn’t apply templating to the other side of the conversation.
So
{ a :'b'}might work instead.
deleted by creator
Pretty damn old.
Why would exporting a url break js? No one would be stupid enough to run JS from an input. This isn’t like a sql query where you might think to put a string directly into a search query. You would have to actively add this exploit in.
It’s not executing the code.
Their message contains brackets. Which is what the template engine is using to determine variations.
So the unsanitized user message is being processed by the temple engine, probably kills it with invalid formatting, and the engine no longer applies the templating to the rest of the message leaving the variations in the text sent to the messaging app.
This is the best thing ive seen this week!
