I wonder if this was made by AI or a shit programmer
-
I absolutely despise Firebase Firestore (the database technology that was "hacked"). It's like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.
A Firestore database facing the client directly on any serious project is a code smell in my opinion.
wrote on last edited by [email protected]It's like people learn how to make a phone app in React Native or whatever, but then come to the shocking and unpleasant realisation that a data-driven service isn't just a shiny user interface - it needs a backend too.
But they don't know anything about backend, and don't want to, because as far as they are concerned all those pesky considerations like data architecture, availability, security, integrity etc are all just unwanted roadblocks on the path to launching their shiny app.
And so, when a service seemingly provides a way to build an app without needing to care about any of those things, of course they take it.
And I get it, I really do. The backend usually is the genuine hard part in any project, because it's the part with all the risk. The part with all the problems. The place where everything can come crashing down or leak all your data if you make bad decisions. That's the bothersome nature of data-driven services.
But that's exactly why the backend is important, and especially the part you can't build anything decent without thinking about.
-
This post did not contain any content.
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
-
That's not a "senior developer." That's a developer that has just been around for too long.
Secrets shouldn't be in configurations, and developers shouldn't be mucking around in production, nor with production data.
Yeah the whole config thing in that project was an eldritch horror of a legacy, too ingrained in both the services and tooling to be modified without massive rewrites
-
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
Make a PR
-
Disabling index and making the names UUID would make the directory inviolable even if the address was publicly available.
Bet you could reuse/keep UUIDs for someone/stuff that gets updated and get that new data even if you "shouldn't".
It could work in theory but in practice there are always a billion things that go wrong IMO.
-
while True:
Jesus Christ
There's nothing wrong with manually breaking a loop.
-
I can tell you exactly what happened. "Hey Claude, I need to configure and setup a DB with Firebase to store images from our application." and then promptly hit shift+tab and then went to go browse Reddit.
nothing was tested. nothing was verified. They let the AI do its thing they checked in on it after an hour or so. once it was done it was add all, commit -m "done", push origin master. AI doesn't implement security stuff. there was zero security here.
Shift + tab?
-
There's nothing wrong with manually breaking a loop.
There's nothing wrong with eating a banana with a knife and fork, either.
Except living with the shame.
-
This post did not contain any content.
This is hilarious
-
This post did not contain any content.wrote on last edited by [email protected]
Hack has at least two definitions in a computing context.
- A nifty trick or shortcut that is useful. "Check out this hack to increase your productivity."
- Accessing something you shouldn't. "They hacked into the database."
A lot of times they sort of get used in conjunction to describe interesting ways to gain access to secure systems, but using it to describe accessing insecure things you shouldn't is still a valid usage of the phrase.
That said I definitely wanna see the company face charges for this, this is insane.
-
I absolutely despise Firebase Firestore (the database technology that was "hacked"). It's like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.
A Firestore database facing the client directly on any serious project is a code smell in my opinion.
Ah yes, Firebase.
The Google version of leaking all your company data through a public S3 bucketI remember when they launched and started pushing it in the Android dev community.
Actually won a Google Pixel at a Firebase sponsored hackathon in my town...after that I never touched Firestore again.
Using that ACL language to restrict access, you could see the massive foot gun from a mile away -
Make a PR
Be the change you want to see in the world.
-
You've probably already made your Big Dumb Mistake, it just hasn't been triggered yet.
Or, you just weren't there any more when it triggered.
Most likely they never recognized that they fucked up. It was always other person fault.
-
Hack has at least two definitions in a computing context.
- A nifty trick or shortcut that is useful. "Check out this hack to increase your productivity."
- Accessing something you shouldn't. "They hacked into the database."
A lot of times they sort of get used in conjunction to describe interesting ways to gain access to secure systems, but using it to describe accessing insecure things you shouldn't is still a valid usage of the phrase.
That said I definitely wanna see the company face charges for this, this is insane.
No, this was a data leak. The word "hack" has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.
-
Aside from the fact that a strong enough supercomputer won't exist for decades, you're not limited by the speed of UUID generation. Even if you had an infinitely fast supercomputer, it wouldn't speed up your brute force attempts, since you're limited by the speed of the backend. Wherever Tea stores their images, that server has only a limited capacity for responding to requests, far less than the speed with which you can generate UUIDs. That's a hard cap - you won't try guesses faster than that.
Even assuming 0 latency on their backend, if you wanted to check each UUIDv4 value again their database during your lifetime, you would need to check 1.686 x 10^27 UUIDv4 per second for 100 years straight. Supercomputers are measured in exaflops, which is 10^18 operations per second, so even distributing the work across many machines, you would need about 1 billion of super computers to be able to have a chance of checking every UUIDv4 value within 100 years.
-
No, this was a data leak. The word "hack" has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.
Based on this comment alone, I am 100% sure that you are not a lawyer.
-
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
And what's with the string addition? Never heard of f-strings or even .format()?
-
Bet you could reuse/keep UUIDs for someone/stuff that gets updated and get that new data even if you "shouldn't".
It could work in theory but in practice there are always a billion things that go wrong IMO.
Not really sure what you mean by reusing UUIDs but theres nothing bad about using UUIDs in URLs for content you don't want scrapped by bots. Sites like Google Photos are already are using UUIDs in the URL for the photos, and do not require any authentication to see the image as long as you have the URL. You can try this for yourself and copy the URL of an image and open it in a Private Browsing Window. Every so often someone realizes the actual image URL is public and think they've found a serious issue, but the reason why it isn't is because of the massive key space UUID provides and that it would be infeasible to check every possible URL, even if it's publicly available.
-
Wow. It actually identified something?
It's good enough for corporate (with multiple other lines of defense).
-
There's nothing wrong with manually breaking a loop.
An infinite loop used to be such a rank code smell back when I was a junior, specifically because I was a noob and made giant loops like 50 lines long and invariably didn't plan the exit condition right, and then my computer would lock up and I would have to hard power cycle.
But yeah, now it's it's a totally acceptable little pattern imho.
