moira@femboys.barOPtoTechnology@lemmy.world•Hacking Millions of Modems (and Investigating Who Hacked My Modem)English
2·
5 months agoIt doesn’t matter that website loads javascript code for logged in user, as you need a token (which server will give you after a successful login) to authenticate to apis, it is pretty common to do that way
There wasn’t a client side API, but the API was missing crucial validation of user input (eg only checking the mac address but didn’t check who is actually authenticated)
Suzy-Q cable is used to low-level interact with newer chromebooks firmware, you can for example disable firmware write protection (previously it was done with a screw), debug hardware and unbrick chromebook
you can read on it a bit more in official Google docs: https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/HEAD/docs/ccd.md