zlacker

[parent] [thread] 8 comments
1. rany_+(OP)[view] [source] 2025-12-04 11:29:50
This is a great idea but I'm a bit concerned about your bandwidth costs and illegal/malicious content being hosted used under your domain.

For the second point, you might want to implement some kind of browser warning similar to what Ngrok does.

replies(1): >>klipit+F
2. klipit+F[view] [source] 2025-12-04 11:34:17
>>rany_+(OP)
Thats a fair point, there are some protections in place for abuse already. I will have a look at what ngrok does for browser warnings. Thanks a lot for the suggestions.
replies(1): >>gnfarg+w2
◧◩
3. gnfarg+w2[view] [source] [discussion] 2025-12-04 11:48:34
>>klipit+F
Be aware of threat actors, too: you're giving them an easy data exfil route without the hassle and risk of them having to set up their own infrastructure.

Back in the day you could have stood up something like this and worried about abuse later. Unfortunately, now, a decent proportion early users of services like this do tend to be those looking to misuse it.

replies(1): >>skrebb+14
◧◩◪
4. skrebb+14[view] [source] [discussion] 2025-12-04 11:57:57
>>gnfarg+w2
What's a "data exfil route"?
replies(1): >>lionko+K4
◧◩◪◨
5. lionko+K4[view] [source] [discussion] 2025-12-04 12:03:11
>>skrebb+14
I'm not who you asked, but essentially, when you write malware that infects someone's PC, that in itself doesn't really help you much. You usually want to get out passwords and other data that you might have stolen.

This is where an exfil (exfiltration) route is needed. You could just send the data to a server you own, but you have to make sure that there are fallbacks once that one gets taken down. You also need to ensure that your exfiltration won't be noticed by a firewall and blocked.

Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.

replies(2): >>ale42+E6 >>skrebb+a8
◧◩◪◨⬒
6. ale42+E6[view] [source] [discussion] 2025-12-04 12:15:04
>>lionko+K4
> Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.

A permanent SSH connection is not exactly discreet, though...

◧◩◪◨⬒
7. skrebb+a8[view] [source] [discussion] 2025-12-04 12:27:30
>>lionko+K4
Thanks!

Though the public address is going to be random here so how will the hacker figure out which tunnl.gg subdomain to gobble up?

replies(2): >>rany_+MA >>gnfarg+Dh1
◧◩◪◨⬒⬓
8. rany_+MA[view] [source] [discussion] 2025-12-04 15:24:29
>>skrebb+a8
I've seen lots of weird tricks malware authors use, people are creative. My favorite is that they'd load up a text file with a modified base64 table from Dropbox which points to the URL to exfiltrate to. When you report it to Dropbox, they typically ignore the report because it just seems like random nonsense instead of being actually malicious.
◧◩◪◨⬒⬓
9. gnfarg+Dh1[view] [source] [discussion] 2025-12-04 18:51:13
>>skrebb+a8
That's actually a fair defence against this kind of abuse. If the attacker has to get some information (the tunnel ID) out of the victim's machine before they can abuse this service, then it is less useful to them because getting the tunnel ID out is about as hard as just getting the actual data out.

However, if "No signup required for random subdomains" implies that stable subdomains can be obtained with a signup, then the bad guys are just going to sign up.

[go to top]