Don't think this is anything new? Have seen various cases from years ago where they searched texts to determine if the person was planning on working or visiting.
If you really want to make sure that it's the right thing (because piping to sudo bash is risky), make sure the URL starts with "pastebin", or ends in ".tk", or is an IP address.
To be absolutely positively certain, be sure that the IP address is also in the same /24 as the same net blocks and hosted on the same AS that appear in every DNS based mail RBL possible.
Somewhat similar vein, the school's blocking software would block YouTube and embeds unless they came from Canvas. They were smart enough to disable the HTML editor for posting discussion comments, but forgot that since it was a rich text editor, you could just copy-paste in an embed by putting the code in data:text/html, then copying the element as formatted html.
I also ran the entire DOMPurify sample XSS and managed to find one way to download custom content onto someone's computer.
As someone who has an MDM-managed device, I beg to differ. Although, this one uses newer style android MDM, which involves factory resetting and doing special things during OOBE. Even if it used the older style, nothing's stopping the app for requesting file access, notification access, etc. and not working until you grant the permissions.
Nothing is stopping any app from the Play store to request any particular permission, not just MDM apps, right? And yet, no app can read arbitrary filesystem data including random app data without your device being rooted first.
If anything, one of many MDM purposes is to prevent orgas from enrolling rooted devices in their fleet.
https://web.archive.org/web/20250529094904/https://www.adafr...
reply