New favorite tool 😍

  • tgt
    link
    fedilink
    arrow-up
    12
    arrow-down
    1
    ·
    edit-2
    7 months ago

    It is absolutely possible to know as the server serving a bash script if it is being piped into bash or not purely by the timing of the downloaded chunks. A server could halfway through start serving a different file if it detected that it is being run directly. This is not a theoretical situation, by the way, this has been done. At least when downloading the script first you know what you’ll be running. Same for a source tarball. That’s my main gripe with this piping stuff. It assumes you don’t even care about the security.

    • FizzyOrange
      link
      fedilink
      arrow-up
      1
      arrow-down
      6
      ·
      edit-2
      7 months ago

      That makes the exploit less detectable sure. Not fundamentally less secure though.

      This is not a theoretical situation, by the way, this has been done

      Link btw? I have not heard of an actual attack using this.