GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Content Merry Christmas GFY

Mindi · 12-28-2025, 10:43 AM

Re: 2MuchMark's Security Analysis

The innerHTML issue in the version checker was a valid technical point. Fixed in v1.7.0, pushed today:

Security Hardening:
// 1. Strip everything except digits and dots
latestVersion = latestVersion.trim().replace(/[^0-9.]/g, '');

// 2. Validate format - only accepts patterns like 1.7.0
if (!/^\d+\.\d+(\.\d+)?$/.test(latestVersion)) return;

// 3. Use textContent instead of innerHTML - nothing executes even if above failed
span.textContent = `Update available: v${newVersion}`;

Permission Changes:
- Removed <all_urls> - now restricted to forum URL patterns only
- Removed tabs permission

Code is at https://webigniter.com/tango-down for anyone to verify.

Now let's talk about what this was actually about:

A real security researcher concerned about protecting users would have done responsible disclosure - contacted me privately so it could be fixed before anyone was at risk. Instead, 2MuchMark posted detailed exploit code publicly while calling it a "backdoor" and "RAT." That's not security research. That's a hit piece with technical words sprinkled in.

And notice how fris - someone who actually looked at the code - said "nothing malicious." Killswitch, who wrote the original version this was based on, defended it. The only people screaming "backdoor" are the same people who've been stalking me for months.

TheLegacy - the guy who needed Mark Prince to loan him a fake job title for his LinkedIn to speak at AVN - is suddenly an authority on code integrity. The same guy who teams up with Mark Osterholt to stalk my family. Real credible sources you've got there.

Here's the difference between me and you: when someone points out a legitimate issue, I fix it. Same day. v1.7.0 is live with triple-layer input sanitization, safe DOM methods, and tightened permissions. This was fixed within 15 minutes of me becoming aware of it, and under 2 hours of Mark posting it.

What did you do? Posted exploit code hoping to scare people away from a free tool that lets them block harassers like you.

Thanks for the free QA.

Right-click, goodbye

(except on a mobile fucking browser

)

12-28-2025, 10:43 AM
Mindi Tango Down Industry Role: Join Date: Aug 2024 Location: Las Vegas Posts: 974	Re: 2MuchMark's Security Analysis The innerHTML issue in the version checker was a valid technical point. Fixed in v1.7.0, pushed today: Security Hardening: // 1. Strip everything except digits and dots latestVersion = latestVersion.trim().replace(/[^0-9.]/g, ''); // 2. Validate format - only accepts patterns like 1.7.0 if (!/^\d+\.\d+(\.\d+)?$/.test(latestVersion)) return; // 3. Use textContent instead of innerHTML - nothing executes even if above failed span.textContent = `Update available: v${newVersion}`; Permission Changes: - Removed <all_urls> - now restricted to forum URL patterns only - Removed tabs permission Code is at https://webigniter.com/tango-down for anyone to verify. Now let's talk about what this was actually about: A real security researcher concerned about protecting users would have done responsible disclosure - contacted me privately so it could be fixed before anyone was at risk. Instead, 2MuchMark posted detailed exploit code publicly while calling it a "backdoor" and "RAT." That's not security research. That's a hit piece with technical words sprinkled in. And notice how fris - someone who actually looked at the code - said "nothing malicious." Killswitch, who wrote the original version this was based on, defended it. The only people screaming "backdoor" are the same people who've been stalking me for months. TheLegacy - the guy who needed Mark Prince to loan him a fake job title for his LinkedIn to speak at AVN - is suddenly an authority on code integrity. The same guy who teams up with Mark Osterholt to stalk my family. Real credible sources you've got there. Here's the difference between me and you: when someone points out a legitimate issue, I fix it. Same day. v1.7.0 is live with triple-layer input sanitization, safe DOM methods, and tightened permissions. This was fixed within 15 minutes of me becoming aware of it, and under 2 hours of Mark posting it. What did you do? Posted exploit code hoping to scare people away from a free tool that lets them block harassers like you. Thanks for the free QA. Right-click, goodbye (except on a mobile fucking browser ) __________________ TANGO DOWN! - Make those annoying GFY users disappear completely with a single click