Hack has at least two definitions in a computing context.
- A nifty trick or shortcut that is useful. “Check out this hack to increase your productivity.”
- Accessing something you shouldn’t. “They hacked into the database.”
A lot of times they sort of get used in conjunction to describe interesting ways to gain access to secure systems, but using it to describe accessing insecure things you shouldn’t is still a valid usage of the phrase.
That said I definitely wanna see the company face charges for this, this is insane.
No, this was a data leak. The word “hack” has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.
Yeah, if I leave my house door wide open for a few weeks and I get robbed, it’s still burglary.
Terrible analogy. A webserver is not at all like a door. It doesn’t block or allow traffic to and from your file system.
A web server is more like a receptionist. It handles requests. “Can I have your basic catalog?” “Certainly, here you go.”
“Can I get this item from your basic catalog?” “Certainly.”
“I don’t see it in your catalog, but my buddy said he got this other item from you. Can I have this other item too?” “Absolutely.”
“Can I borrow your stapler?” Sure. “How about a pad of paper?” “Of Course”. “Can I just have the contents of your supply closet?” “Here you go.” “How about your accounting files, can I get those?” “No problem!” “How about your entire customer list?” “Consider it done!”
When you hire a receptionist and specifically tell them to give customers anything they request, that’s entirely on you. You have to at least make a token effort to restrict access to only authorized users before you can even claim that a particular user was unauthorized.
This wasn’t burglary. This was putting up signs that say “come in” and labeling everything in your house with “free” stickers.
I absolutely despise Firebase Firestore (the database technology that was “hacked”). It’s like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.
A Firestore database facing the client directly on any serious project is a code smell in my opinion.
Peak Vibe Coding results.
while True:
Jesus Christ
You know that’s not the Tea code, but the downloader, right?
There’s nothing wrong with manually breaking a loop.
There’s nothing wrong with eating a banana with a knife and fork, either.
Except living with the shame.
Well these people probably don’t wash their hands so knife fork is the most sanitary way.
You could say they “spilled the tea”.
This reminds me of how I showed a friend and her company how to get databases from BLS and it’s basically all just text files with urls. “What API did you call? How did you scrape the data?”
Nah man, it’s just… there. As government data should be. They called it a hack.
ah yes, the forbidden curl hack
Believe it or not a lot of hacking is more like this than you think.
Social engineering is probably 95% of modern attack vectors. And that’s not even unexpected, some highly regarded computer scientists and security researchers concluded this more than a decade ago.
When the technical side reaches a certain level of security, the humans become the weakest link.
*if
We reached that part a long time ago.
Clearly the authors of this app did not. Hence “if.”
Humans were still very much the weak link here. The tools to do this even mildly securely are available, well documented, and honestly, cheap af
What is the Tea hack?
An app called Tea™ was marketed as a safespace for women and used government issued IDs as a way to verify users.
4Chan users leaked all of the IDs onto the larger internet.
So it essentially became a honey trap, either through malice or sheer incompetence.
Well, I get what you mean, but a “honey trap” idiom in English, also called a “honeypot scheme”, usually refers to utilizing romantic connections to influence people to make decisions or release confidential information.
Honeypot is a common term in computing/cybersecurity, setting up fake important servers so bad actors invade and the security team can analyze what got in and how to deal with it.
Well it doesnt surprise me that the IT team doesn’t know about a sexual terminology, tbh.
They’re all over master-slave, tho 😏
Not a big fan of the wording here. Plenty of skilled programmers make dumb mistakes. There should always be systems in place to ensure these dumb mistakes don’t make it to production. Especially when related to sensitive information. Where was the threat model and the system in place to enforce it? The idea that these problems are caused by “shit programmers” misses the real issue: there was either no system or an insufficient system to test features and define security requirements.
I can tell you exactly what happened. “Hey Claude, I need to configure and setup a DB with Firebase to store images from our application.” and then promptly hit shift+tab and then went to go browse Reddit.
nothing was tested. nothing was verified. They let the AI do its thing they checked in on it after an hour or so. once it was done it was add all, commit -m “done”, push origin master. AI doesn’t implement security stuff. there was zero security here.
Shift + tab?
basically “autopilot” for claude code.
Ah, thanks.
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
What big advantages does pathlib provide? os.path works just fine
- Everything is in one library which offers consistency for all operations.
- You can use forward slashes on Windows paths, which makes for much better readability.
- You can access all the parts of a pathlib object with attributes like .stem, .suffix or .parent.
- You can easily find the differences between paths with .relative_to()
- You can easily build up complex paths with the / operator (no string additions).
Just off the top of my head.
I suppose os.path is simpler? It’s a string and operation.
Python is all about ‘attention efficiency,’ which there’s something to be said for. People taking the path of least resistance (instead of eating time learning the more complex/OOP pathlib) to bang out their script where they just need to move a file or something makes sense. I’m with you here, but it makes sense.
…Also, os.path has much better Google SEO, heh.
Make a PR
