I have already posted this announcement in the Discord server, but for people who don’t use it I’ll post it here (and the website later today) as well.
Palosvik of the Skype Community server, yes the same one that got the NINA/Escargot Discord taken down, and his team are planning an attack on CrossTalk. They discovered another vulnerability within the INS protocol (which handles account management, session management, and things like sending out alerts from the service), and, instead of disclosing it to us, they decided to begin drawing up plans to exploit it.
Now unlike what he claims he in the screenshots, this does not allow remote access into CrossTalk’s server (i.e. you can’t create a shell from this) BUT it does allow takeover of accounts as you can edit any attribute of any user.
Given this, the INS server has been disabled until a fix has been implemented, and in the meantime you won’t be able to create accounts or update your profile. You’re encouraged to change your password whenever the INS server is back up. We don’t know how much info they have actually gotten access to at this time.
It’s sad to see that we’re now resorting to literal crimes as a way of putting down competing services, I’m tired of it and some way or another it ends, NOW.
DAMN, this is literally insane, i hope that no accounts will be hacked and compromised, that would be a real nightmare for everyone good luck with fixing everything though, i hope that you will succeed.
A patch has been rolled out and the server is now back up. We’re not aware of any personal information being obtained or leaked (what’s pictured in the first screenshot is just emails, which are already publicly shown, user UUIDs, client versions, and Backend Session IDs) but we still recommend you change your password as a precaution.
At least you have at least a drop of conscience to change the name of the article to the correct one. Though, not entirely, but that’s a big progress for CrossTalk.
I know that people are waiting explanations from my end, they have been already released in the Skype Community, but if you still not there (and you miss a lot on that, because that is about to come as a leading project in messenger revival field, you should join at Skype Community ) - here’s the link to our article for you.
you can’t call a reveal of his linkedin profile and real name a “doxxing”. it was found using reverse photo research, and that’s a very basic OSINT. by revealing that much of your PII for “pseudonymous” account, you almost automatically consent that something that easy as reverse image search can be done.
and why I am not surprised that you are MVP on the CrossTalk server to come and say this bullshit