Kyun API & Web Application Pentest Report

This was a penetration test done by Digilol on https://kyun.host/ anonymous VPSs provider. Results were not good and the researchers got harassed by Kyun owner and their members.

Do you have a source for the harassment claims?

Based on the conclusion and the small amount of actual issues the audit reports, it doesn’t seem like a terrible audit report.

3 Conclusion
Kyun demonstrates several security weaknesses, including a critical remote code execution vulnerability, high-severity session expiration issues, and medium-severity user enumeration problems.

Note: It is important to mention that the critical remote code execution vulnerability was promptly fixed by Kyun during the course of this assessment

Maybe someone with better knowledge in the field can explain this to me but from my amature reading, this does not seem all that bad. They fixed the critical issue. Finding one high severity issue and one medium severity issue is nothing new for audits. For example, Mullvads last audit had three high and two medium severity issues.

1 Like

lmao

first of all, ALL of the issues were fixed, the rce was fixed in a few hours after they reported it to me, before actually releasing the report. the rest of the issues were fixed shortly after release.

besides simply fixing the issues, the entire architecture was reworked so that the user-facing api server has no direct root ssh access to the nodes, instead interfacing with a secure custom program on the hypervisors that can only do specific operations. this makes a root hypervisor rce like the one that was found pretty much impossible (and even that one is unlikely to have been found without source access, not to downplay the severity of an rce but it could’ve been much worse)

the “harrassment” is simply the chat members in #chat:kyun.host making fun (in a playful manner of course) of a digilol member because of their overreaction at the sight of this picture:

it genuinely wasn’t meant as harrassment but i’m sorry if they felt so harrassed that they still mention it like a year after it happened