Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Pretty radical, eh? Send money to: lcamtuf@coredump.cx

How to send money to your email address? Not that I would send you some, but I wondered how you want to have that money received?



Not to be rude, but in the USA (where SWIFT or bank wire transfers can be expensive) an email address as a recipient of an online fund transfer is a pretty common; ie: paypal, venmo, chase quickpay

now specifically in this case, lcamtuf (at google security) is joking and doesn't want your money.

this hack is actually pretty crazy - an arbitrary HTML / jpeg polyglot file that fooled a browser could be used for js injection, say from a site that allowed jpeg file uploads, and validated mime type.


This has been done in the past. I remember seeing an advisory as far back as 2010, but at the moment can only find these two more recent advisories:

https://websec.io/2012/09/05/A-Silent-Threat-PHP-in-EXIF.htm...

https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-ex...

The way we protected ourselves against it at <earlier company> (since we allowed image uploads at a variety of locations) was to decode and recode the image before storing and strip out comments.


I agree transcoding all user content is a must, but even that can be dangerous :-) as with ImageTragick which lcamtuf discussed here: https://lcamtuf.blogspot.com/2016/05/clearing-up-some-miscon...


He\she isn't actually expecting payment, just as they don't really think that the trick is "pretty radical." It's just a mildly amusing way of providing contact information.


It is pretty radical in the 80's-90's sense of the word.[0]

[0] http://img03.deviantart.net/ebd4/i/2015/166/9/6/radical_dude...


1. Most Gmail users can receive money by email (https://support.google.com/mail/answer/3141103 and coredump.cx MX records point to Gmail)

2. Ask him his Bitcoin address

3. Paypal to this address

:)


You don't need to ask him for Bitcoin address. Just send him private key of a bitcoin wallet. Or this https://www.bctip.org/en/


You are perfectly right. As a matter of fact I have done this in the past—written a brainwallet passphrase on a birthday card :)


Isn't Google Wallet ded?


No, just pining for the fjords!

But seriously, no, it's alive and kicking... https://www.google.com/wallet/

Page Info shows the last modification was: Thu 31 Mar 2016 01:02:44 PM EDT

I don't personally use it much but I have an account to pay for my domain name though them that I use for Google Apps.


Only google card, the debit card that was attached to GW.


Nope! I pay my rent using it for example.


No. I use it occasionally.


Just put it in a JPEG and send it over.


email money transfer should work fine aka Interac E-Transfer. see http://interac.ca/en/interac-e-transfer-consumer.html


Only in Canada :)


I assume paypal when i see an email.


PayPal?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: