Comment by WD-42
6 days ago
I would not default to assuming it was his competitors, that sounds like scapegoating to deflect responsibility. What most likely happened is his site was scanned by one of the increasingly sophisticated exploit crawlers (anyone who runs an internet facing site and can view traffic knows what I'm talking about). His site got flagged as vulnerable, the hacker found out it was built like swiss cheese and had fun with it.
It's 100% this. Anyone who's run a website or web app for any length of time in recent years and makes a habit of inspecting their logs will quickly realise that they're being scanned by bots looking for vulnerabilities multiple, or even many, times per day. The search for vulnerabilities is entirely automated and will pick up any domain that has a website or web app attached to it.
One those vulnerabilities are found, the hackers will pounce, and, whilst ransomware is one potential outcome, they might instead do all of the kinds of things GP has described. They don't care what the site is for or what industry you're in.
>One those vulnerabilities are found, the hackers will pounce
...and work to exploit your code to their own benefit. They don't do this just so that they can refund your customers.
Often it's just done for reputation. "We got ahold of their stripe key and refunded everything lol" is hilarious and absolutely on-brand.
I mean, I can see refunding their customers just for the lols.
1 reply →
> anyone who runs an internet facing site and can view traffic knows what I'm talking about
Most of what I see is looking for very specific vulnerabilities - a very high proportion are looking for hidden files and directories being served (e.g. .git, .env) or specific software (e.g. Wordpress), or similar.
In over 20 years of dealing with many mostly smallish businesses the compromises have been:
1. A client who insisted on using Wordpress for one of their sites (against my advice) because they had people who knew it so it was the cheap option. It was easy to see what would happen because those people were not available long term. 2. A very carefully set up server with a hardened kernel etc. I did not set it up so cannot give all details and neither do I know how it was compromised. It was carefully set up because it was a target for political reasons so I would guess it was a targetted attack.
On the other hand I know there have been many vulnerabilities. There have been many vulnerabilities in the applications - the outstanding examples being creating queries by concatenating user input with SQL (no escaping at all) in multiple places across a small site (years ago), and (recently) finding code that called (python) exec on user input. Many other flaws that have been present for years. Not updating OSes, server software and frameworks for many years is usual.
In spite of all that, just those two compromises. You will probably get away with a high degree of bad code and bad practices in deployment and maintenance with a small site.
Who else would spend the time and effort to figure out you leaked your stipe key to your front end? Sure people have bots to do that, but it’s kinda unbelievable someone would run such a bot on their vibe coded website.
I have a strictly hobby web app that I work on. 6-7 years ago I inadvertently pushed AWS email service credentials to GitHub.
Half an hour after the push I got an email and text from GitHub that I had exposed credentials. I quickly logged in to my AWS to turn off the service, to see that AWS had suspended that service because the bounce rate on the 80000 emails sent in that 15 minute period was too high. It was crazy just how fast it was exploited.
>> It was crazy just how fast it was exploited.
People underestimate the speed, but also the number of pivots that advanced attackers will make. Sure, these kinds of problems are easy to exploit, but with major organizations that employ reasonable defenses, the attackers will pivot through 50+ exploits/machines/layers to get to the target(s). This can take place over weeks or months.
5 replies →
Here's an amusing thing to try on anything with SSH exposed. These log files go back a month.
10 replies →
> It was crazy just how fast it was exploited.
The internet is a wild place in any aspect of it. You should try spinning up a random virtual private server on any cloud provider, plug in a public IP address,and listen to traffic. Sometimes it takes seconds to get your first traffic from vulnerability scanners.
6 replies →
Github repositories have statistics about access. Anyone can test this.
Create a new Github repo, within minutes there's someone (or something) poking around it.
Similarly if you post any credentials, they'll either get nabbed and used or a friendly scanner service will notify you about it and will tell you exactly where the credential is if you make an account in their service.
I think common people also underestimate how fast a computer really is nowadays, because they only know bloated MS Windows machines.
Why is it unbelievable? There is an entire industry of people trying to find vulnerable niche applications like this. There are bots which crawl the web, not to make an index, but just to find vulnerabilities. Nobody necessarily even had to 'point' anything at this at all, it just shows up on their dashboard one day and they get to dig in.
I would not be surprised if Shodan.io ends up with queries for easily identifiable markers of vibe-coded software.
> There are bots which crawl the web, not to make an index, but just to find vulnerabilities.
You can download a few of them out of GitHub and run them immediately, too.
I was being facetious. Yes, there are millions of bots that are constantly searching every website for leaked keys, passwords, database credentials, crypto wallets, firebase endpoints, s3 buckets, email addresses, phone numbers, etc. the list is bottomless
Yep. We once had left a socks proxy unprotected on a public IP, no cert, just a random IP and a fixed port. At one day the service stopped working. When looking into it, the network was overloaded with random IPs from all over the world surfing on the free proxy.
> Who else would spend the time and effort to figure out you leaked your stipe key to your front end?
In high school in the early 2000’s, I ran a small Apache server from my home that was basically Geocities but even less discoverable - I used it to learn PHP, SQL, and frontend. One day my log started filling rapidly as someone effectively ddos’d my home server. If they’d bothered to actually poke, they likely would’ve been able to exploit it relatively quickly even without all of today’s tools. I imagine the process of discovery and exploitation is magnitudes more impressive and performant today.
> Who else would spend the time and effort to figure out you leaked your stipe key to your front end? Sure people have bots to do that, but it’s kinda unbelievable someone would run such a bot on their vibe coded website.
I could offer some anecdata as a counterargument but I'm a bit ashamed about how it happened so I'll just say, you friend was lucky it only ended at that.
I've seen it happen - a key was leaked in a stacktrace somewhere and it took a scraper a couple of days to find it. Stripe helpfully prefixes their keys with sk_prod_ so you can completely automate something to iterate over every IPv4 address and see if something in the output matches.
You don't scan just a single website, you code up the bot once and then scan every site you can find.
Your friends' service was just the proverbial paper car in a thunderstorm: the thunderstorm doesn't care about the paper car but destroys it just the same.
My website has a "public" directory for things I wanted to be publicly accessible, but there's an index.html there so you can't trivially discover what files are there.
I was mirroring this to another machine, and I'd foolishly already configured haproxy to serve from either machine. In the 10 minutes (guesstimate) between starting to populate the directory and closing off access, I had one bot scrape every single file in there. What was worse was that it'd cached the index, and continued scraping these files from the other backend too, so I had to shut off access to that directory on the live server as well as the backup.
Whilst technically, all of these files were "public" because I wanted to share them, some of them weren't publicly linked to (things like my CV etc) which I'd rather hadn't been scraped by some random bot (that of course, didn't identify itself or respect robots.txt).
Nah, that's table stakes for a public facing website.
The thing about bots is that it costs almost nothing to run them against millions of sites every day. It's got nothing with "but what are the odds?!", at large enough scale, unlikely things happen all the time.
Shame on this dude.
Oh you sweet summer child.
It's def a hacker from a the incumbent because:
1) They took action after getting the Stripe key by refunding all customers
2) They drafted an email to all customers after a hack that got the mailing list and API route to send emails
3) Not once has the hacker asked for compensation of any kind nor a ransom
Not sure how to word this, but are you "new" on the internet? People used to break stuff "for the lulz" since the dawn of time.
I remember when I was a kid running a tiny forum with phpbb or something, and some script kiddies from g00nsquad (can't remember exact spelling, but something like that) defaced it. They didn't ask for money, they just did it for fun.
Sure things have changed now and the internet has become more corporate, but I reckon there are still people out there doing this stuff l because they can.
> Sure things have changed now and the internet has become more corporate, but I reckon there are still people out there doing this stuff l because they can.
I recall a while back there was a story here about a recipe app that used LLMs to generate recipes. It didn't took long before posters started showcasing recipes they tricked the LLM to generate, involving ingredients such as cyanide and computer chips.
The pull is always there.
My understanding has always been that most hackers do it for the fun/challenge/sport of it and it's only a small fraction who are in it for the money.
Breaking things is just fun for them and the internet is their video game.
Also the vibe I am getting from places like reddit/etc... is that it's currently open season on vibe coded apps. Lot's of internet points to be had for destroying them.
Breaking things is fun. Effectively stealing money (the refunds) is highly illegal, immoral, and malicious. Who knows who did it, but that aspect is just dickhead territory.
16 replies →
I don't see how any of that implies that an incumbent did it.
If you were a criminal trolling the Internet for vulnerable servers and found stripe keys... would your first instinct be to refund customers rather than do some other sort of crime? Like what's the motivation you envision here?
7 replies →
what was in this email though?
Hey all I’m an independent security researcher and I found that you are paying for an app that is shoddily built and doesn’t respect your privacy or security so I decided to give you all a refund. Have a nice day!
Telling customers it was built with AI and insecure.
Please don't consider becoming a judge. Also, try re-reading what you wrote a few times.