I wonder if this was made by AI or a shit programmer
-
Disabling index and making the names UUID would make the directory inviolable even if the address was publicly available.
Bet you could reuse/keep UUIDs for someone/stuff that gets updated and get that new data even if you "shouldn't".
It could work in theory but in practice there are always a billion things that go wrong IMO.
-
while True:
Jesus Christ
There's nothing wrong with manually breaking a loop.
-
I can tell you exactly what happened. "Hey Claude, I need to configure and setup a DB with Firebase to store images from our application." and then promptly hit shift+tab and then went to go browse Reddit.
nothing was tested. nothing was verified. They let the AI do its thing they checked in on it after an hour or so. once it was done it was add all, commit -m "done", push origin master. AI doesn't implement security stuff. there was zero security here.
Shift + tab?
-
There's nothing wrong with manually breaking a loop.
There's nothing wrong with eating a banana with a knife and fork, either.
Except living with the shame.
-
This post did not contain any content.
This is hilarious
-
This post did not contain any content.wrote on last edited by [email protected]
Hack has at least two definitions in a computing context.
- A nifty trick or shortcut that is useful. "Check out this hack to increase your productivity."
- Accessing something you shouldn't. "They hacked into the database."
A lot of times they sort of get used in conjunction to describe interesting ways to gain access to secure systems, but using it to describe accessing insecure things you shouldn't is still a valid usage of the phrase.
That said I definitely wanna see the company face charges for this, this is insane.
-
I absolutely despise Firebase Firestore (the database technology that was "hacked"). It's like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.
A Firestore database facing the client directly on any serious project is a code smell in my opinion.
Ah yes, Firebase.
The Google version of leaking all your company data through a public S3 bucketI remember when they launched and started pushing it in the Android dev community.
Actually won a Google Pixel at a Firebase sponsored hackathon in my town...after that I never touched Firestore again.
Using that ACL language to restrict access, you could see the massive foot gun from a mile away -
Make a PR
Be the change you want to see in the world.
-
You've probably already made your Big Dumb Mistake, it just hasn't been triggered yet.
Or, you just weren't there any more when it triggered.
Most likely they never recognized that they fucked up. It was always other person fault.
-
Hack has at least two definitions in a computing context.
- A nifty trick or shortcut that is useful. "Check out this hack to increase your productivity."
- Accessing something you shouldn't. "They hacked into the database."
A lot of times they sort of get used in conjunction to describe interesting ways to gain access to secure systems, but using it to describe accessing insecure things you shouldn't is still a valid usage of the phrase.
That said I definitely wanna see the company face charges for this, this is insane.
No, this was a data leak. The word "hack" has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.
-
Aside from the fact that a strong enough supercomputer won't exist for decades, you're not limited by the speed of UUID generation. Even if you had an infinitely fast supercomputer, it wouldn't speed up your brute force attempts, since you're limited by the speed of the backend. Wherever Tea stores their images, that server has only a limited capacity for responding to requests, far less than the speed with which you can generate UUIDs. That's a hard cap - you won't try guesses faster than that.
Even assuming 0 latency on their backend, if you wanted to check each UUIDv4 value again their database during your lifetime, you would need to check 1.686 x 10^27 UUIDv4 per second for 100 years straight. Supercomputers are measured in exaflops, which is 10^18 operations per second, so even distributing the work across many machines, you would need about 1 billion of super computers to be able to have a chance of checking every UUIDv4 value within 100 years.
-
No, this was a data leak. The word "hack" has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.
Based on this comment alone, I am 100% sure that you are not a lawyer.
-
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
And what's with the string addition? Never heard of f-strings or even .format()?
-
Bet you could reuse/keep UUIDs for someone/stuff that gets updated and get that new data even if you "shouldn't".
It could work in theory but in practice there are always a billion things that go wrong IMO.
Not really sure what you mean by reusing UUIDs but theres nothing bad about using UUIDs in URLs for content you don't want scrapped by bots. Sites like Google Photos are already are using UUIDs in the URL for the photos, and do not require any authentication to see the image as long as you have the URL. You can try this for yourself and copy the URL of an image and open it in a Private Browsing Window. Every so often someone realizes the actual image URL is public and think they've found a serious issue, but the reason why it isn't is because of the massive key space UUID provides and that it would be infeasible to check every possible URL, even if it's publicly available.
-
Wow. It actually identified something?
It's good enough for corporate (with multiple other lines of defense).
-
There's nothing wrong with manually breaking a loop.
An infinite loop used to be such a rank code smell back when I was a junior, specifically because I was a noob and made giant loops like 50 lines long and invariably didn't plan the exit condition right, and then my computer would lock up and I would have to hard power cycle.
But yeah, now it's it's a totally acceptable little pattern imho.
-
This post did not contain any content.
What is the Tea hack?
-
Security by obscurity.
this man ssh'd in on a five-digit port
-
No, this was a data leak. The word "hack" has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.
It can be both. The company can be at fault for not keeping something secure while the people who steal the data are at fault for stealing data. Data leaks and hacks are not mutually exclusive.
-
There's nothing wrong with eating a banana with a knife and fork, either.
Except living with the shame.
Well these people probably don't wash their hands so knife fork is the most sanitary way.
