This, then, is a post about a broken homegrown cryptosystem; namely, that used in CodeIgniter, pre-2.2. This version was current until the release of CodeIgniter 2.2, on the 5th of June, 2014, and you can still find sites on it today.
The attack described in the post depends on a lot of things to go right (or wrong, if you will); it’s not just that they used a bad cipher, but also the fact that they rolled their own session storage, and implemented a fallback, and a dozen other things. This is probably typical for most bugs of this class; a bunch of bad decisions which aren’t thought through find their logical conclusion in complete insecurity.
My circle of friends use it basically as an extension of weird Twitter – most
snaps I send and receive are strange angles of weird objects; the completely
mundane but somehow therapeutic (7 seconds of the camera pointed outside the
window of a tram, pointed at the ground moving below); or just closeups of
Curtis Stone’s face,
wherever we see him.
Of course, the promise that they won’t get retained is just that: a promise.
Since your phone receives this image and shows it to you at some point, it must
be downloaded by your phone. If it can be downladed by the phone, it can be
downloaded by something else. We decided to find out how.
As programmers, we spend a lot of time just carting data from one place to
another. Sometimes that’s the entire purpose of a program or library (data
conversion whatevers), but more often it’s just something that needs to happen
in the course of getting a certain task done. When we’re sending a request,
using a library, executing templates or whatever, it’s important to be 100%
clear on the format of the data, which is a fancy way of saying how the data is