https://blog.thereallo.dev/blog/decompiling-the-white-house-app
-
https://blog.thereallo.dev/blog/decompiling-the-white-house-app
Wowy wow wow wow! I’m sure none of y’all planned on downloading the malware from the Mango, but just in case, DO NOT. It will:
Inject JavaScript into every website you open
Has a full GPS tracking pipeline always on.
Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds.
Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
Has no certificate pinning.
Ships with dev artifacts in production.
Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation
-
https://blog.thereallo.dev/blog/decompiling-the-white-house-app
Wowy wow wow wow! I’m sure none of y’all planned on downloading the malware from the Mango, but just in case, DO NOT. It will:
Inject JavaScript into every website you open
Has a full GPS tracking pipeline always on.
Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds.
Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
Has no certificate pinning.
Ships with dev artifacts in production.
Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation
@MissConstrue
Even if I don't some of my cousins might. What happens if I'm in their contacts?
#infosec #malware #StupidestTimeline -
https://blog.thereallo.dev/blog/decompiling-the-white-house-app
Wowy wow wow wow! I’m sure none of y’all planned on downloading the malware from the Mango, but just in case, DO NOT. It will:
Inject JavaScript into every website you open
Has a full GPS tracking pipeline always on.
Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds.
Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
Has no certificate pinning.
Ships with dev artifacts in production.
Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation
@MissConstrue It sounds like people should report the app then.
Imagine how much the orange one would explode if the app were pulled from the store for being in violation of basic rules (and, uh, laws by the look of it... Despite what the article says, I'm pretty sure some of it is surely illegal.)
Just *imagine* what it would do to his puny ego...
-
@MissConstrue
Even if I don't some of my cousins might. What happens if I'm in their contacts?
#infosec #malware #StupidestTimeline@mediopocillo @MissConstrue That's the fun thing about this stuff. With access to contacts, anything and everything they've saved in that contact is shared with whoever they grant access to and there is absolutely nothing said contact can do about it. (Isn't it *GREAT*??)
It's down to how much they actually put in there what is gotten, so make sure they don't have anything like your social media profiles or etc saved in there because that's all you can do from your end is ask those people.
-
@MissConstrue
Even if I don't some of my cousins might. What happens if I'm in their contacts?
#infosec #malware #StupidestTimeline@mediopocillo Unknown at current, I believe.
-
@mediopocillo @MissConstrue That's the fun thing about this stuff. With access to contacts, anything and everything they've saved in that contact is shared with whoever they grant access to and there is absolutely nothing said contact can do about it. (Isn't it *GREAT*??)
It's down to how much they actually put in there what is gotten, so make sure they don't have anything like your social media profiles or etc saved in there because that's all you can do from your end is ask those people.
@nazokiyoubinbou @mediopocillo I hadn't even thought about contact contamination until y'all mentioned it.
-
@nazokiyoubinbou @mediopocillo I hadn't even thought about contact contamination until y'all mentioned it.
@MissConstrue @mediopocillo These days, sadly, it's a given.
-
@MissConstrue It sounds like people should report the app then.
Imagine how much the orange one would explode if the app were pulled from the store for being in violation of basic rules (and, uh, laws by the look of it... Despite what the article says, I'm pretty sure some of it is surely illegal.)
Just *imagine* what it would do to his puny ego...
@nazokiyoubinbou @MissConstrue
Should definitely be reported but I wouldn't hold my breath on any company that made a donation to the ballroom doing anything other than metaphorically lick his taint.
-
@nazokiyoubinbou @MissConstrue
Should definitely be reported but I wouldn't hold my breath on any company that made a donation to the ballroom doing anything other than metaphorically lick his taint.
@gbargoud @MissConstrue Same, but wouldn't it be amazing if they actually did uphold the standards they enforce on other devs just this once?
-
@gbargoud @MissConstrue Same, but wouldn't it be amazing if they actually did uphold the standards they enforce on other devs just this once?
@nazokiyoubinbou @MissConstrue
It would be, especially if they also take down Mecha Hitler's Child Porn O Matic while they're consistently enforcing their rules.
-
@nazokiyoubinbou @MissConstrue
It would be, especially if they also take down Mecha Hitler's Child Porn O Matic while they're consistently enforcing their rules.
@gbargoud @MissConstrue Hopes and wishes aren't illegal after all.
At least not yet...
-
https://blog.thereallo.dev/blog/decompiling-the-white-house-app
Wowy wow wow wow! I’m sure none of y’all planned on downloading the malware from the Mango, but just in case, DO NOT. It will:
Inject JavaScript into every website you open
Has a full GPS tracking pipeline always on.
Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds.
Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
Has no certificate pinning.
Ships with dev artifacts in production.
Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation
@MissConstrue
it doesn't even considered installing on GraphineOS, saying my phone is incompatible -
R relay@relay.mycrowd.ca shared this topic
