Chirashi Security
Update for 8th March 2024: More or less an hour after I posted on x.com, the vulnerability no longer exists. It looks like the fireflies.ai team invalidated their Growthbook.io key.
I reached out to the Fireflies.ai security team on the 20th Dec 2023 about an issue I found in their browser extension for their service. I received a standard ZenDesk ticket response, but nothing else after. About a week after that, I contacted them through their report a vulnerability form but did not hear back from them yet again.
Maybe it’s because we dragged all our wordlists across from the days of Van Hauser’s Hydra way back in 2000. But something happened around the time when the OSCP certification began picking up steam. A wave of new tools, mostly written in either Go or Rust, flooded the interwebs. Along with these tools came a fleet of wordlists. Millions of words in a text file that were to be used for the sole purpose of brute-forcing.
I’ve been getting back into DFIR and I was testing out this tool called Cyber Triage. I discovered it when I saw a friend of mine had a workshop that he was doing and I duly registered for it. It’s a neat tool that helps an investigator through his examination process. It collects the usual data on a system like metadata, user activity and the places where malware tends to persist.
We’re baack! 🔗I’ll get some posts on here real soon!