I wonder if this was made by AI or a shit programmer
-
Other reports state the Tea backend was Vibe Coded: https://www.ainvest.com/news/tea-app-data-breach-exposes-72-000-users-ai-generated-code-security-lapse-2507/
wrote on last edited by [email protected]Sure, it might be, I'm not saying it isn't. All I'm saying is: the screenshot shows the code someone wrote to download the images. It's not part of the Tea codebase.
-
This has been the case for 40+ years. Humans are almost always the weakest link.
we built this shit. thus we are always to blame.
-
Youβre no better off than if you did an internet search and tried to figure out whoβs giving good advice, or just fumbled your own way through the docs in the first place.
These have their own problems ime. Often the documentation (if it exists) won't tell you how to do something, or it's really buried, or inaccurate. Sometimes the person posting StackOverflow answers didn't actually try running their code, and it doesn't run without errors. There are a lot of situations where a LLM will somehow give you better answers than these options. It's inconsistent, and the reverse is true also, but the most efficient way to do it is to use all of these options situationally and as backups to each other.
wrote on last edited by [email protected]Yes, it can be useful in leading you to look in the right place for more information, or orienting you with the basics when you're working with a technology that's new to you. But I think it wastes my time as often as not.
-
Believe it or not a lot of hacking is more like this than you think.
Security by obscurity.
-
Microsoft defender identified a malware in this executable.
Wow. It actually identified something?
-
While proper security is better, you're not gonna brute force UUIDs.
As long as you're not rate limited, you absolutely could.
-
When i tried making a website with gemini cli it did deadass use string interpolation for sql queries so everything is possible
Robert'); DROP TABLE Students; --
-
As long as you're not rate limited, you absolutely could.
A UUID v4 has 122 bits of randomness. Do you know how long that would take to brute-force, especially with network limitations?
-
Yes, it can be useful in leading you to look in the right place for more information, or orienting you with the basics when you're working with a technology that's new to you. But I think it wastes my time as often as not.
That's implying that the quality of information from other sources is always better, but I'm saying that's sometimes not true; when you're trying to figure out the syntax for something, documentation and search engines have failed you, and the traditional next step would be to start contacting people or trying to find the answer in unfamiliar source code, sometimes a LLM can somehow just tell you the answer at that point and save the trouble. Of course you have to test that answer because more often than not it will just make up a fake one but that just takes a few seconds.
There are some situations I'm going back to search engines as a first option though, like error messages, LLMs seem to like to get tunnel vision on the literal topic of the error, while search results will show you an unintuitive solution to the same problem if it's a very common one.
-
As long as you're not rate limited, you absolutely could.
You cannot!
-
Sounds like a good case for brute forcing the filenames. Just do the proper thing and don't leave your cloud storage publicly accessible.
Can't be done.
-
This post did not contain any content.
I absolutely despise Firebase Firestore (the database technology that was "hacked"). It's like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.
A Firestore database facing the client directly on any serious project is a code smell in my opinion.
-
Security through obscurity never works.
It's not security through obscurity in this case. The filenames can't be obtained or guessed through brute force. At least not with current technology or processing power...
Security through obscurity is when you hide implementation details.
Saying that my suggestion is security through obscurity is the same as telling that ASLR is security through obscurity...
-
A UUID v4 has 122 bits of randomness. Do you know how long that would take to brute-force, especially with network limitations?
It taking a long time doesn't make it an impossibility. The fact that it has a limit of 122 bits, in and of itself, makes the possibility of a bruteforce a mathematical guarantee.
-
You cannot!
I cannot. But the bruteforce is a mathematical guarantee.
-
It taking a long time doesn't make it an impossibility. The fact that it has a limit of 122 bits, in and of itself, makes the possibility of a bruteforce a mathematical guarantee.
For all practical purposes, it's impossible.
-
For all practical purposes, it's impossible.
It's not, though. And thinking that it is impossible is why DES, for example, was "translatable" by the NSA for decades. Never assume something is impossible just because it's difficult.
-
Robert'); DROP TABLE Students; --
aw bobby
-
As much as I dislike JavaScript, it isn't responsible for this. The person (or AI) and their stupidity is.
but it didn't help; it was basically the gasoline
-
It taking a long time doesn't make it an impossibility. The fact that it has a limit of 122 bits, in and of itself, makes the possibility of a bruteforce a mathematical guarantee.
By this logic, all crypto is bruteforcable, on a long enough timeline.
A 122 bit random number is 5316911983139663491615228241121378303 possible values. Even if it were possible to check 1 trillion records per second, it would take 168598173000000000 years to check all the UUIDs and get the info on all the users. Even if every human on earth signed up for the app (~8 billion people), and you wanted to just find any one valid UUID, the odds of a generating a UUID and that being valid in their DB is basically 0. You can do the math your self following the Birthday Paradox to determine how many times you would need to guess UUIDs before the probability that any one UUID is valid against a population of the whole world is greater than 50%.
