Rating: 0

Problem author's writeup.

Summary: use the "pattern by name" feature to write a pattern struct into SRAM, then use an out-of-bounds "pattern by index" feature to read the name as a pattern; leak the Particle's private key through the LEDs; use the reconstructed key to impersonate the Photon and post an XSS payload as the body of a Particle Cloud event