← Back to context

Comment by CharlieDigital

6 days ago

It's a hack because he had an admin route and API endpoint which was only checking for authenticated users. He thought no one could see the route because it wasn't in a sitemap (of course, everyone could see the route). Hacker found the API route to insert themselves into an admin table (Supabase RLS was not deployed correctly) and from there, started adding himself to other orgs in the DB.

3 comments

CharlieDigital

Reply
QuadmasterXLII  6 days ago

I’d take even odds that that’s what his vibe assistant said happened but it has no relation to the actual sequence of events

jjani  5 days ago

> Supabase RLS was not deployed correctly

What a surprise.. This has become the new "the default password was admin and no one changed it". And I remember vendors getting enough flak for those defaults that most of them changed them.