Comment by risyachka
6 days ago
It’s not a “hack” when you have your stripe keys in the frontend.
It’s called a skill issue and to prevent these you have to actually spend time learning instead of vibing.
It’s literally the same as driving a car without license.
Everyone can do it - but shouldn’t.
Just because it's an easy hack doesn't mean it isn't one. It's still lockpicking when it's MasterLock.
Maybe more accurately: it's still theft if the door was left open.
But the insurance won't refund you.
1 reply →
It's a hack because he had an admin route and API endpoint which was only checking for authenticated users. He thought no one could see the route because it wasn't in a sitemap (of course, everyone could see the route). Hacker found the API route to insert themselves into an admin table (Supabase RLS was not deployed correctly) and from there, started adding himself to other orgs in the DB.
I’d take even odds that that’s what his vibe assistant said happened but it has no relation to the actual sequence of events
> Supabase RLS was not deployed correctly
What a surprise.. This has become the new "the default password was admin and no one changed it". And I remember vendors getting enough flak for those defaults that most of them changed them.
It's a hack because... it's openly exposed to anyone...