nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqj3z7k0r0qms2660hlt3z4tg2s5h6rz37l2tg66e6lnxr6tsry07qsshesq (nprofile…hesq) nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpq47653442ud3e8z3l8c9zuz9m548pv0mxcwfn28d49fdkdyqx8sdqlmdexn (nprofile…dexn) "Would this feature be possibly useful as part of a way to hide/obfuscate malicious behavior" is not usually a criteria for labeling something a security issue. There are many ways to hide or obfuscate malicious behavior, especially when you are linking with vendor blobs like this.
There was even a whole contest about this:
https://en.m.wikipedia.org/wiki/Underhanded_C_Contest
Here is an article about how a very, very subtle API misuse in a similar IoT chip due to missing documentation introduced a memory safety issue:
https://tweedegolf.nl/en/blog/145/the-hunt-for-error--22
You could easily just make a similar "mistake" on the ESP32 to create a backdoor, if that was your goal.
Asahi Lina (朝日リナ) /
npub14w…zuequ
2025-03-09 21:28:35
in reply to nevent1q…c3k3
Author Public Key
npub14w78207els8vs5fxduhhval0r9zgujpf2khcqyfuhmkt2tlyvcyq2zuequPublished at
2025-03-09 21:28:35Event JSON
{
"id": "9291f993ab7bb8d7c6937799e5ff8afeb304c415ab14fb0c52cd6ba0421416b5",
"pubkey": "abbc753fd9fc0ec851266f2f7677ef19448e482955af80113cbeecb52fe46608",
"created_at": 1741555715,
"kind": 1,
"tags": [
[
"p",
"9445eb3c6f06e0ad69f7fae22aad0a852fa18a3efa968d6b3afccc3d2e0323fc",
"wss://relay.mostr.pub"
],
[
"p",
"afb548d6aae363938a3f3e0a2e08bba54e163f66c393351db52a5b6690063c1a",
"wss://relay.mostr.pub"
],
[
"p",
"1bc75f21052e8bef1a18631ab6a2e47d38630c76b4752232ec4b107b67939387",
"wss://relay.mostr.pub"
],
[
"p",
"5ee6c59afabffe2719ca97e72705b5a1d1e4f7d22dc457349f0cf9625ad5af8d",
"wss://relay.mostr.pub"
],
[
"e",
"7b982073574f0ae5cebf5dc2ad8f6cc66318c56157a033a284f13754de2b910e",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://vt.social/users/lina/statuses/114134595377316320",
"activitypub"
]
],
"content": "nostr:nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqj3z7k0r0qms2660hlt3z4tg2s5h6rz37l2tg66e6lnxr6tsry07qsshesq nostr:nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpq47653442ud3e8z3l8c9zuz9m548pv0mxcwfn28d49fdkdyqx8sdqlmdexn \"Would this feature be possibly useful as part of a way to hide/obfuscate malicious behavior\" is not usually a criteria for labeling something a security issue. There are many ways to hide or obfuscate malicious behavior, especially when you are linking with vendor blobs like this.\n\nThere was even a whole contest about this:\nhttps://en.m.wikipedia.org/wiki/Underhanded_C_Contest\n\nHere is an article about how a very, very subtle API misuse in a similar IoT chip due to missing documentation introduced a memory safety issue:\n\nhttps://tweedegolf.nl/en/blog/145/the-hunt-for-error--22\n\nYou could easily just make a similar \"mistake\" on the ESP32 to create a backdoor, if that was your goal.",
"sig": "cdd7c1f3666fcd8276d62c43530b1f380df812df8772ecc38a0c35129cf897c85bcad0c24e291cea8589c16911c21edfad3184ee0c569b6af49a5445b2c52c79"
}