a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by caelum19

This actually happened to me once, I was making a Twitter bot with Twitter4J for fun and I uploaded my code to GitHub so I can access it accross computers. Not-so-smartly I forgot that I had my Twitter app access keys in plain text on the GitHub page. A couple of months later the bot started tweeting strange messages and I found out GraemeA had used the keys to tweet messages. Pretty funny.





insomniasexx  ·  3562 days ago  ·  link  ·  

Yup. It is so scarily easy to upload keys, passwords, etc. into github without realizing it. Especially if you are working with a build system. You set it up, forget about it, upload it to github so your partner can build too, and whoopsies. All your databases and everything else is suddenly there for the taking.

I'm working on some CSS shit for a pretty high level app right now. Most of the stuff the team is working on it way over my head. Apparently the company believes in "microsystems" so there are at least 6 different endpoints we connect to and 4 servers you have to set up before you can see the front end. Everything was fine and git-ignored and there were warnings everywhere. Then they updated the build system. One merge later we had all the build.example.xzy files and the main engineer's build.xyz file. I probably would have never noticed, and it was still in a private dev brand, but I'm glad someone did sooner rather than later.

The reality is, even smart people make mistakes. And it turns out the super geniuses aren't really all that smart about the tiny details. That's why you have 3rd party security consultants. They don't have to be a genius with bold ideas and phenomenal code. All they have to do is check the little shit. Especially with the rate of growth some start ups are experiencing, I wouldn't be surprised if we see more and more fundamental flaws being exposed. I'm just going to laugh when someone injects code or is able to drop a table in the "next big app".

caelum19  ·  3560 days ago  ·  link  ·  

    That's why you have 3rd party security consultants
It's a shame the more vunerable startups can't afford these people, my older brother joked that he'd make a 'hack' for the game I'm making as soon it's released.

Even though he was joking I'm pretty sure he will. Which is a good thing really, much better he find a exploit than someone else. My joke twitter account could have easily been a professional one and GraemeA could haev easily been someone with bad intentions.

It'd be great if there was a tool to scan github repos for things that look like keys and find unsanitized database inputs, bobby-tables.exe I'd call it.

    I'm just going to laugh when someone injects code or is able to drop a table in the "next big app".
My older brother shows me these failures all the time. They're bloody hillarious, there was this one time a Garry's Mod(Pretty popular multiplayer game if you've not heard of it) server had a user function which basically just sent commands to the server. Turns out they were ran with console privileges and he used it to clear all server ranks, admin himself and do a lot of trolling.
thundara  ·  3560 days ago  ·  link  ·  

    It'd be great if there was a tool to scan github repos for things that look like keys and find unsanitized database inputs, bobby-tables.exe I'd call it.

I seem to recall that there is, but it's used for nefarious groups rather than for good.

Edit: Link

caelum19  ·  3560 days ago  ·  link  ·  

Thanks for that link.

It was pretty nice of Amazon to drop the charges. The hackers should release their program as a paid software restricted to people's own repos for more money, hackers or not I don't mind as long as my project is safe from mistakes.