return to table of content

Researcher finds flaw in a16z website that exposed some company data

Drakim
60 replies
3h38m

a16z did not give me any bug bounty on this because of the fact i publicly reached out instead of trying to reach out privately. the only reason i did it this way was because there was no available contact on their main site and the email i could find engineering@a16z.com bounced my emails

That's a clever lifehack to save your company money, by not having any way to privately contact engineering all bug bounties will have to be reported publicly which means you don't need to pay anything.

paxys
32 replies
2h47m

The company doesn't need a "hack" to not pay money. If they don't have a published bug bounty program then they owe nothing.

They also have contact email addresses listed at the bottom of https://a16z.com/connect, which the researcher conveniently missed.

They were looking for clout, not responsible disclosure.

rvnx
12 replies
2h42m

Let's imagine your backpack is open.

It's polite to say thanks if someone informs you that you accidentally left your backpack open.

But in no way you are supposed to give them anything.

Even further, some people take precious things from your backpack (trying to exploit the issue) and then come back to you asking for money; claiming they are nice people. This is non-sense.

IshKebab
8 replies
2h37m

Terrible analogy. This is more like someone returning your wallet full of cash, on live TV. You aren't legally obligated to give them anything, but it sure is a dick move not to and good luck getting your wallet back next time you drop it if you don't.

abejfehr
5 replies
2h35m

Why will giving someone a cash reward mean you have a better chance of getting your wallet back in the future?

IshKebab
3 replies
2h29m

Because the next person will know there's a good chance you'll give them a cash reward, and that will tip the "immorally take all the cash" vs "return it and hope for a reward" balance more in favour of it being returned.

I would have thought that was completely obvious so maybe that's not what you were asking?

(On the other hand this is HN...)

nox101
1 replies
2h7m

The places you're most likely to get your wallet back in the world are the places you're also less likely to get a reward. The reward for returning a wallet is knowing you're doing your part to make the place you live in a nice place to live.

spencerflem
0 replies
58m

Doing free work for A16Z or any of the awful companies ruining our world is not helping make anything better.

mananaysiempre
0 replies
2h13m

It’s just that the analogy breaks down a bit. It’s fair to say a dropped wallet in a city is a one-shot game—it’s reasonable to expect neither the participants nor their acquaintances will ever encounter each other again; whereas a security vulnerability is closer to a repeated one—it’s a fairly small world. (Some kind of neighbourly behaviour would work better here, but then again, it’s more difficult to find a universal experience of that kind.) I didn’t misunderstand this, but perhaps GP did?..

pixl97
0 replies
2h7m

You're using the wrong line of thought on the analogy here.

The value of the wallet is not the cash you'd directly lose inside of it. The value is getting your ID and cards back without them being copied by someone else, along with any other identifying information.

The value of having and up front and easy to use bug bounty system is it's easier to use then selling it off to some blackhats (hopefully). Those blackhats may otherwise scrape all your s3 buckets or somehow otherwise run up a zillion dollars of charges over a holiday with your keys.

Being cheap gets expensive.

largbae
0 replies
2h4m

Also the wallet had "please return me, cash reward" written on it. (Bug bounty advertised)

YeahThisIsMe
0 replies
2h33m

You aren't legally obligated to give them anything,

Acktchually, depending on where you live, you might be.

rdedev
1 replies
2h33m

It's not the same. Figuring out a bagpack is open takes no effort. Finding a backdoor takes a lot of effort.

TheRealPomax
0 replies
2h21m

Not when you find it on first "inspect element". That really is the equivalent of looking through someone's window and seeing their bank information and credits cards just lying in full view of anyone who'd look in.

tomrod
0 replies
2h35m

... Did they actually steal anything or take advantage, or just touch the bag to make sure it wasn't fake? Seems more of the latter, and your analogy falls flat when the bag carrier contains other people's pii.

mynameisvlad
9 replies
2h38m

So you’d rather researchers reach out to black hats with this information instead? Because that’s what this line of thinking leads to.

It’s in everyone’s, especially the company’s, best interests to have a bug bounty and easily accessible security hotline. Expecting researchers to jump through hoops like contacting their offices’ front desks to get to security is absurd.

paxys
8 replies
2h24m

So you’d rather researchers reach out to black hats with this information instead?

That is pretty much what they did. Posting publicly about the vulnerability most certainly meant that every hacker in the world tried (and probably succeeded) at reproducing it, all before the company had enough time to act.

pavel_lishin
5 replies
2h16m

They didn't post publicly about the vulnerability; they reached out via twitter to tell them that they had one, without giving any details about it whatsoever.

paxys
4 replies
1h59m

Telling everyone that there's a vulnerability is usually as bad as providing detailed steps. No one was looking, and now you've pointed them in the right direction.

internetter
1 replies
1h55m

what do you want them to do? nothing? we've already established that they tried to make contact.

paxys
0 replies
1h12m

How about - go to the company's contact page, look at the email address there, and use that?

pavel_lishin
0 replies
1h55m

No one was looking

It's a16z, not Grandpappy's Model Railroad Museum Showcase ("Come see a photo of the tiniest steam wagon in Sheboygan!").

_a_a_a_
0 replies
1h15m

No it isn't. I flagged you for talking tripe. Honestly, HN seems to have an infestation of plonkers.

mynameisvlad
0 replies
2h21m

So you’d rather this happen? That is the question I asked.

Because this is explicitly what happens when a company doesn’t have a good process for accepting and responding to exploits.

The onus should entirely be on the company to invite researchers to find and report exploits in a responsible way. They are the ones at risk of losing millions of dollars over an exploit.

Ukv
0 replies
2h9m

As far as I can tell, their tweet was just:

someone from @a16z get in touch, now. its bad. security related.

https://x.com/xyz3va/status/1807330215955177937

If your email bounces, I think reaching out over social media is reasonable for a fast response.

Ukv
2 replies
2h2m

not responsible disclosure.

The researcher found an email address, tried it, it bounced, then reached out over Twitter with:

someone from @a16z get in touch, now. its bad. security related.

https://x.com/xyz3va/status/1807330215955177937

That doesn't seem irresponsible to me. Sure they could have searched the bottom of a connect page for the office emails to try, but I don't see any significant issue with what they did instead.

paxys
1 replies
1h13m

"an" email address, not the one on their contact page.

Ukv
0 replies
46m

The email the researcher found (engineering) seems more appropriate than the office info emails (menlopark-info, ...) at the bottom of the Connect page (an actual "contact" page used to exist, but is now 404 with no redirect). I don't see anything irresponsible about trying engineering then reaching out over social media.

leononame
1 replies
2h16m

Am I blind? I don't seem to find the email address at all on that page

consp
0 replies
2h8m

Only thing I can find are office mails, which looks more like a trashbin than mail which would respond. Also not where I'd look for a contact mail.

They seem to only want you to connect via social media (which is a poor choice for primary contact IMO).

xyzeva
0 replies
2h9m

i think you're missing the fact that that indeed is not a security email, and the engineering/security email i found bounced.

i had no ill intentions. stop pretending i did.

lawgimenez
0 replies
2h36m

I did the same thing with OP years ago, I tried to contact in every way possible the dev team of the largest telecom company in my country.

All channels were ignored, so I have to resort to contacting our government agencies. Luckily, one agency replied to me and had one of the devs contacted me. For this hassle I was only paid $50.

You have no idea the effort we go to report this things. So I quit bug hunting after that.

I mean, a16z should be very grateful this got reported by an honest hunter regardless of the means it was reported.

jmholla
0 replies
2h8m

They also have contact email addresses listed at the bottom of https://a16z.com/connect, which the researcher conveniently missed.

They have those now. Do we know they did when the researcher tried to reach out?

Edit: I decided to take a look at it myself. It does seem that that was available on June 3rd of this year [0]. (You'll have to look at the source since the archive doesn't do their animations.) It seems to be available on previous snapshots as well [1].

[0]: https://web.archive.org/web/20240603210532/https://a16z.com/... [1]: https://web.archive.org/web/20240000000000*/https://a16z.com...

[0]: https://web.archive.org/web/20240603210532/https://a16z.com/...

idontknowtech
0 replies
59m

I'm generally sympathetic to what you're saying, but I also detest a16z and Horowitz personally for being the epitome of "software guy decides he's expert at everything now" and his role in the crypto bubble.

Should the hacker have tried more? Sure, maybe. Do I really care? Definitely not

nlh
19 replies
3h9m

Counterpoint: OP is a security researcher and couldn’t find a single human email address at one of the most well-known VC firms on the planet? LinkedIn? Twitter? Facebook friends? Come on. They’re not hard to reach if one really wants to.

(Note: I still think A16Z should have paid them.)

mynameisvlad
14 replies
2h37m

Why should it be an onus on the researcher to find this information? It should be plainly provided in the first place.

Someone shouldn’t have to jump through hoops to help the company secure its resources. That is not how this works.

dmix
8 replies
2h31m

Trying more than one email is not jumping through hoops when it's one of the worst possible vulnerabilities hitting all of their databases/platforms. Being a research means being an adult and having a basic level of responsibility. Just like being a gun owner, it's a powerful tool that needs to be treated with utmost respect.

A lot of pentesters are just kids who are angry at the world and the poor state of security, which I get, but it's not a huge barrier to try a bit more. He would have been rewarded if he did.

mynameisvlad
3 replies
2h26m

A researcher should not have to “try different emails”. Period. There should be a clearly disclosed email provided by the company to report such issues. Very obviously plastered. Or just use the standard abuse@, security@, infosec@, etc.

It is by far in the company’s best interests for this to happen because the alternative is public disclosure or disclosure to black hats instead.

Anything more is jumping through hoops. It should not be the researcher’s responsibility or burden to go out of their way to help a company that hasn’t done the bare minimum to welcome white hats helping them secure their own systems.

dmix
2 replies
2h20m

Yes of course company's should do that, but in the real world a lot of companies don't think to do that, especially a marketing site for a VC firm.

Any dev knows what it's like having a million responsibilities, a lot of things get put on TODO lists that never get completed. Them being owned by a wealthy company doesnt mean they have a huge dev team running 247 to handle this stuff. Which is probably why such a obvious failure even happened...

Security researchers get high and mighty extremely quickly, which is immature IMO.

pixl97
0 replies
2h0m

WTF is this thinking?

Any dev knows what it's like having a million responsibilities,

Any airplane mechanic has a million responsibilities, and if they are not followed people fucking die. Maybe software devs should step up and take a little responsibility for their lack of action that can have consequences for their users.

Security researchers owe you nothing. If you make the path of least resistance selling sploits to blackhat groups the world will be a worse place.

dghlsakjg
0 replies
52m

The security researcher in this case worked for free to find a hole in their security, reached out via a provided email address, had that bounce, so then chose to reach out via a different messaging system to let them know that there was an issue. ALL OF THIS WAS UNPAID. They have 0 or less responsibility to this firm. The researcher was doing them a huge favor.

Security researchers get high and mighty extremely quickly, which is immature IMO.

Immature would have been not trying to responsibly disclose this, or disclosing the hole before it was patched.

TheRealPomax
3 replies
2h17m

Alright then: you go to Andreessen Horowitz's website[1] and see if you can find a SINGLE email address in any of the normal places a business would list the (not-social-media) contact information. Because they did their damnedest to make sure you won't find any.

[1] https://a16z.com/

dmix
2 replies
2h5m

I already linked to them in my comment below

Click nav

click “how to connect with us” -> https://a16z.com/connect/

See 4 emails at the bottom for each office

See 4 links to social media pages where every single one has DMs open

Wait at least a couple business days to see if anyone replies, if no one does or it’s not being taken seriously then you can announce it publicly on social media you found something but can’t reach them

mynameisvlad
0 replies
1h50m

Huge effort, I know

Okay. There’s 4 front office emails and 4 social media accounts, both presumably manned by non-technical folks.

So now you have to go back and forth just to get routed to the right place. Which may not even happen if this is the first time that employee handled a security incident.

You’re making it sound like sending the email or DM is the end of the work. That is usually far from the case.

TheRealPomax
0 replies
1h25m

Emailing an office manager with a company security issue would be incredibly irresponsible. They're in charge of managing the physical office and are about as "outside" as you can get in a company while still being employed by that company.

nlh
4 replies
2h29m

I don't think the onus should be on the researcher, and I think A16Z should have paid them. But if they actually wanted to get in touch, I'm just saying they could have.

If they're putting the effort into vuln scanning the site, they can also put in the effort to get in touch like a professional. You could just as easily say "why should the onus be on the researcher to find vulnerabilities when it's A16Z's job to secure their own site". The researcher is in this to find holes and make a few bucks (which is fine!). The job is complete when you get in touch.

mynameisvlad
2 replies
2h22m

You could just as easily say "why should the onus be on the researcher to find vulnerabilities when it's A16Z's job to secure their own site". The researcher is in this to find holes and make a few bucks (which is fine!). The job is complete when you get in touch.

Presumably, the company wants to be as secure as possible. It’s in their best interest to make this process as painless as possible. A security researcher has many options for what to do with a found exploit, some far less moral than others. The company has very few, relatively. They are the ones that are limited and therefore should be doing everything in their power to ensure the best outcome, a responsible disclosure that is fixed as quickly as possible.

The best way to ensure they do this is to provide an obvious, easy to find avenue for these things. This includes reasonable, well-displayed emails (or using something like a standard abuse@, etc) and a bug bounty.

Simply put, the company is the one that should be going out of their way or else they will just have researchers either disclosing it publicly or selling the exploit for likely far more money than a bug bounty.

nlh
1 replies
1h57m

I understand where you're coming from, but you're using "should" a lot. Companies should do a lot of things! They should make their sites secure. They should have a formal bug bounty program. They should have security@ and engineering@ and lots of other emails easily visible. We agree.

But many don't. And a lot of things in the business world are not as they should be. And in this real world of imperfection, others sometimes need to put in effort (and be paid for that effort) to make up for the failings of companies. This is one of those cases of imperfection.

mynameisvlad
0 replies
1h55m

Of course I’m using “should” a lot. Because “should” clearly didn’t happen.

That doesn’t change anything. Just because a company has shitty security reporting practices doesn’t suddenly mean the onus is on the researcher to do the company’s job.

dghlsakjg
0 replies
48m

If they're putting the effort into vuln scanning the site, they can also put in the effort to get in touch like a professional.

They did. They emailed, and when that was bounced, they used a different medium to reach out. Twitter is a place that many companies actively engage with the public.

The job is complete when you get in touch.

They got in touch. If A16Z aren't going to respond to people via email, but they do on twitter, they don't get to decide that twitter isn't a viable communication platform.

asopd
2 replies
2h57m

Exactly, if he even just browsed their website a bit he'd have stumbled across loads of email addresses that could have been a useful point of contact.

dmix
1 replies
2h46m

It’s more fun getting attention by doing it publicly and being the victim (security researchers love hitting the 'nobody respects us' button) than putting basic effort in.

A single email bouncing is frustrating of course, but he then posted that an easily found vulnerability existed on Twitter, while a16z:

- has a contact page page https://a16z.com/connect/ with 4x emails to their offices at the bottom (despite claims the main site had no other emails)

- links to their Twitter where DMs are open https://x.com/a16z same with instagram, FB, and linkedin, all open

it would be easy to just email all of them at once and waiting a couple days to see if it gets escalated.

asopd
0 replies
1h44m

Funny how we're both being downvoted just for pointing out inconvenient facts.

fanf2
0 replies
2h4m

They said they got in contact via Twitter, but a16z didn’t like that.

hugoromano
2 replies
2h54m

This what you expect from VCs. I always prefer to report these incidents to GDPR authorities if user data is leaked. Then they pay the fines and some get a criminal record. Money is something VCs “print” and manipulate.

istinetz
1 replies
2h9m

Implying the Eu will actually do anything at all whatsoever upon reporting a gdpr issue

Money is something VCs “print” and manipulate.

You wot m8

hugoromano
0 replies
1h21m

It is the member state authority, although EU GDPR is a Directive, is up to the member state. It doesn’t just apply to the EU, it can be UK ICO.

chefandy
1 replies
3h18m

All sorts of cleverness going on there. I'll bet they saved a ton of money on development by lowballing people on fiverr or whatever they did, and indirectly they'll also save a ton on bookkeeping when a russian ransomware group effortlessly takes them for everything they have.

HelloNurse
0 replies
1h33m

Even more bookkeeping will be saved with lost business opportunities.

bufferoverflow
1 replies
3h19m

But it also teaches security researchers to sell that info next time instead of reporting.

reducesuffering
0 replies
1h20m

Seriously, if anyone from a16z is reading this, all you're doing is incentivizing the next exploit to be sold and used against you.

ko_pivot
23 replies
3h29m

Sincere question: how do you actually make this mistake while having the skills to build a web app of this complexity level? All the frontend and full stack frameworks that I’m familiar with try pretty hard to stop you.

pavel_lishin
6 replies
3h24m

It only takes a single mistake.

A little tired because you didn't sleep well, or worried about a relative in the hospital, or you stubbed your toe that morning and it's distracting... and whoops.

crngefest
2 replies
3h7m

Whoops I accidentally exposed all API keys ever to the public.

No really this is unacceptable for a professional, it’s even bad for an amateur.

If your processes are so insecure that a little tired breaks your whole company you done goofed.

devin
1 replies
1h31m

Yes, the answer must be additional processes and procedures. That way, you’ll never make a mistake! /s

Also bizarre to frame this as “unacceptable behavior”, as if whoever is involved was in some way aware of their mistake and/or would say “this is acceptable behavior!” when confronted with it or something.

crngefest
0 replies
33m

GP framed leaking all your keys at something that happens when you are tired or distracted.

This is unacceptable behaviour for a professional in my eyes.

bee_rider
2 replies
2h49m

Perhaps some processes should be put into place to make exposing the entire company into a multi-step failure?

pavel_lishin
0 replies
2h11m

Perhaps some already exist.

But if they have five security processes that each has a 99% chance of catching a bug, that's still a 1-in-10,000 chance that something will slip through. And I'd wager that a16z has more than 10,000 "components" that goes through those processes.

dpkirchner
0 replies
34m

I've considered tracing outgoing responses from nginx/traefik/whatever to watch for known API keys. The difficulty would be identifying the keys amongst the noise.

krig
5 replies
3h24m

I’ve seen people make exactly this mistake with Next.js. IMO React server components is a fantastic tool for losing track of what’s exposed client side and what isn’t.

duggan
4 replies
3h19m

Next.js makes you prefix env vars with NEXT_PUBLIC_ if you want them to be available client side, and Vercel has warning flags around it when you paste in those keys.

It's obviously not foolproof, but it's a good effort.

krig
3 replies
2h40m

That’s env vars, but not actual variables - it’s really easy (if you are not actively context aware) to f.ex. pass a ”user” object from a server context into a client component and expose passwords etc to the client side.

leerob
1 replies
1h55m

If you add `import “server-only”` to the file, it will fail to compile if you to use it on the client. React also has more fine grained options where you can “taint” objects (yes that’s the real name).

krig
0 replies
17m

Yeah, the problem is that these mitigations require the developer to be context aware, ”server-only” only saves you in the positive case where you correctly tagged your sensitive code as such. The default case is to expose anything without asking. I have also seen developers simply marking everything as ”use client” because then things ”just work” and the compiler stops complaining about useState in a server context etc.

duggan
0 replies
2h33m

That's a fair point! It definitely feels easier to make that mistake, and anything where context and discipline is required is a good candidate for making some horrifying blunders :)

gumby
3 replies
3h17m

Ever had a bug in code you wrote?

mrcode007
2 replies
2h26m

Not of this kind

devin
1 replies
1h30m

That you’re aware of.

mrcode007
0 replies
34m

I come from security background and have been following best practices since 1997 so I’m pretty sure I have not made a blunder of this sort

davidchang
3 replies
2h59m

my guess is internal tool that wasn't expected to be exposed publicly.

additionally, i didn't realize there are tools to automatically discover unreferenced subdomains like this. i would have just assumed security by obscurity

ndriscoll
1 replies
2h48m

Presumably it's from certificate transparency logs. That's one reason I do not use TLS for my personal hosting.

VTimofeenko
0 replies
2h32m

Let's Encrypt allows issuing wildcards which is what quite a number of folks use for self-hosted services

duggan
0 replies
2h27m

If one person learns this lesson it's good. If it's on the public Internet, best to expect it will be found. Stick it behind an auth wall of some sort.

I've put internal sites behind AWS ALB's plugged into an OIDC provider[1] (Google), which works well.

1: https://docs.aws.amazon.com/elasticloadbalancing/latest/appl...

jimkoen
0 replies
3h8m

how do you actually make this mistake while having the skills to build a web app of this complexity level?

By not building this yourself and instead outsourcing the work to India, to people that work for 4.00$/h

And I'm not blaming the person that has to work for this little cash for delivering shoddy work like this.

cedws
0 replies
3h24m

Don’t mistake complexity for intelligence.

xyst
17 replies
3h30m

when companies say they are “hacked”, it’s now a corporate term for “we were negligent in securing important credentials, but please shift blame to this no-name entity we called a ‘hacker’”

miki123211
16 replies
3h20m

If you accidentally leave your front door wide open and somebody steals all your stuff, you'll also say that you were robbed.

There might be a legal distinction between "breaking and entering", "burglary", "trespassing" etc, and in a legal sense, whether the front door was open might have some impact on whether the act was illegal or not and what the consequences are, but in colloquial usage, you've still been robbed.

crngefest
9 replies
3h11m

If you put all your stuff on your front porch with a sign “please take what you want” and it’s all gone the next day - then you can’t say you were robbed.

I think this is a more apt analogy to what az16 did here

rblatz
3 replies
2h58m

Using those credentials is still a violation of the he CFAA, no reasonable person would think they were invited to access the systems protected by those credentials.

pixl97
2 replies
1h48m

Yea, I'm sure the Russian/China/NK/Iran hackers are deeply afraid of the CFAA, you got them shaking dude (and vice versa when someone in the US hacks one of their sites).

The particular problem here is we think of the crime on the web in a civil/criminal manner... "People should just follow the law or be punished for a crime". This is not the internet. Regardless of what you think about the internet, it is an international war zone. If you leave the hatch of a tank open and a drone blows it up, that was you being stupid. If you leave an ammunition truck unguarded and the enemy takes it, again, that is you being stupid.

History will look back and say WWIII started on the web, but as of now it seems a huge number of people are in denial about it.

rblatz
1 replies
1h14m

None of this at all applies to this thread. It’s true, but also irrelevant to this discussion being had.

pixl97
0 replies
39m

All of this applies to this thread.

Do you cultivate vines with fruit, or do you cultivate brambles and eat thorns?

Remember white hats don't need to exist. Black hats will exist by the very nature they are parasitic and thrive where exploits exist. We can either have a community that warns you that "Hey, the stuff on your porch is going to get stolen" or we can have a community that calls their buddy when they see some stuff fresh for the taking.

A huge portion these discussions under this article are people arguing the minutia of a puddle in the lawn while a 10 meter high tsunami is rushing their way.

sparky_z
1 replies
3h3m

There's no analog for the sign. You just put it in because without it your scenario still feels like theft (because it is) and you end up arguing against your own point.

crngefest
0 replies
2h30m

That is fair enough, I guess it’s not a great analogy overall.

But IMHO it’s hard to feel to bad for someone (az16 in this case) who handles their arguably most valuable goods in such a manner and gets robbed.

qup
1 replies
3h0m

More like if they kept their wallets in an open basket on the porch.

It's not an invitation to take it, it's just really stupid.

crngefest
0 replies
2h30m

Yes that would have been a much better analogy.

bee_rider
0 replies
2h56m

IMO these sorts of analogies to houses and porches don’t really work because there are just different cultural norms between websites and porches.

If there were a convention of leaving stuff on your porch to donate it, and a general assumption that when people left stuff on their porch it was up for grabs, somebody started storing their groceries there, and they were taken… they would just be stupid and not sympathetic.

If somebody just moved to a neighborhood where this was tradition and didn’t know about it, they would rightly be a little bit annoyed when the groceries they stored on their porch were taken, but really they only have themselves to blame for not understanding the local conventions.

If somebody opens up a storage company and then just put all the customers’ stuff on one of these porches, they are just dangerously, unethically incompetent. Even if there isn’t a convention of taking stuff from porches, actually. Because there are also armed gangs (nation-states) that go check out people’s porches for secrets.

malf
1 replies
3h1m

If I leave other people’s stuff that I promised to take care of on the street and it gets stolen, I would be to blame.

s1artibartfast
0 replies
2h57m

blame isn't mutually exclusive. you can still blame the person that stole it too!

rootusrootus
0 replies
2h52m

might have some impact on whether the act was illegal or not

Only the burglary, trespassing, or B&E parts. Theft is still theft even if you leave your doors unlocked and/or open.

oasisbob
0 replies
2h5m

Well, other legal distinctions aside, robbery is taking things by threat of force.

If someone doesn't know they've been a victim of larceny until later, it wasn't a robbery.

cromulent
0 replies
1h44m

Good analogy, from a personal perspective.

In this case, a person was yelling through the front door "Your door is wide open!" and no-one was listening.

For a 42B AUM company, at a time where running an IT operation means "use CrowdStrike so that you pass audits", leaving the front door open all night should get you fired, regardless of whether you blame hackers or not.

bobmcnamara
0 replies
3h12m

More like complaining when your teenager takes a break from mowing on trash day and leaves the mower next to the trash and someone takes it.

xg15
11 replies
3h13m

i like to do this thing where i search twitter, looking for companies, and then try giving them a quick pentest. i've done a lot of my hacks this way and its more effective than you think it is.

Ah yes, the classic surprise pentest by unappointed security researchers. I too, as the good samaritan that I am, like to stroll through my neighborhood and give all the cars and bikes I encounter a quick pentest, purely for the benefits of the owners of course.

I remember there was an article "the six dumbest ideas in computer security" on HN a while ago, one of those was the mindset that "hacking is cool". I'm reminded a bit of this here.

crngefest
3 replies
3h6m

Well it could be this person that is professional and does not sell all your data to North Korean ransomware gangs - or it could be the one that does.

Which one do you prefer?

Lvl999Noob
2 replies
2h59m

I (we) would obviously prefer the professional person who is doing good for society. The problem is, this behaviour isn't good for them. I am not an expert or anything but from what I know, pentesting without explicit prior permissions can easily lead to huge lawsuits. I would rather that the careless people get their cars stolen than the good people all lose heart completely.

fermisea
0 replies
2h21m

One thing is true about what you said: you're definitely not an expert.

crngefest
0 replies
2h34m

Sure there is no perfect solution here. I guess it’s a good idea to only pentest companies that do have a bug bounty program and an expressed interest in you pentesting.

While I enjoyed the article that GP referenced and agreed with most thing I thought the “hacking bad” take was a bit off.

bdowling
2 replies
2h22m

I too, as the good samaritan that I am, like to stroll through my neighborhood and give all the cars and bikes I encounter a quick pentest, purely for the benefits of the owners of course.

In my neighborhood, "security researchers" can often be seen checking houses for vulnerabilities. During the day, it's usually a woman or a kid with a clipboard who knocks on front doors, checks for cameras, tests if the front door is locked, etc. I'm told they work with crews of men who will come back later to do a more thorough investigation when everyone is gone so as not to bother the homeowner.

Every night, there are other "security researchers" who test all the doors of all the cars parked on the street and in driveways. If you leave your car door unlocked just once, you'll be informed about it the next morning!

It's really something to live in these times!

pavel_lishin
1 replies
2h9m

"These times" have been around since house doors had locks.

bdowling
0 replies
1h46m

Whoosh

jimkoen
0 replies
3h4m

And so you're just going to dismiss the modern reality of cybersecurity threats?

"What happened to the good old days when we could all leave our cars and homes unlocked.."

Yeah no.

i_am_jl
0 replies
1h27m

I remember there was an article "the six dumbest ideas in computer security" on HN a while ago, one of those was the mindset that "hacking is cool". I'm reminded a bit of this here.

Half of that post is unhinged nonsense. "Hacking is Cool" is listed right after a rant about pentesting being dumb because your software should just be designed to be secure.

asopd
0 replies
1h39m

Having a curious look is alright but it's the "beg bounty" attitude that these researchers need to rein in. It's like the sponge-and-bucket guy washing your grimy windscreen without you asking while you wait at the lights, then demanding cash for it. Thanks but no thanks.

TechDebtDevin
0 replies
3h4m

Damn, maybe just go back to sleep and try waking up on the otherside of the bed.

This is normal behavior for bug hunters and I don't think they're doing it because 'it's cool". They do this for a living.

cj
6 replies
3h15m

If you could actually access their Salesforce instance, that would be very nerve wracking for founders, since usually Salesforce, etc, logs emails which may continue unannounced fundraising plans or M&A plans that haven’t been shared externally by portfolio company founders.

rvnx
4 replies
2h58m

Collecting the keys from a public source-code of a web page is legal (and can be safely reported).

Using these keys to access unauthorized systems is a crime.

This is a major difference.

mcfedr
1 replies
56m

How can it possibly be a crime? They literally gave the keys to everyone who accessed their website

davidgay
0 replies
10m

You (unintentionally) drop your house key in front of your door. Now we can all freely enter your house! It can't be trespassing with the key sitting right there, can it?

pixl97
0 replies
1h42m

Oh no CRIME! Thank goodness that something being a crime stops people from committing them.

Thank goodness the internet isn't an international operation filled with nation state level actors and questionable companies running data gathering operations from places they cannot be touched.

Always assume your data has been stolen by an assailant in a place that's only reachable by launching nukes at them. Also assume there is some competitor on the other side of the world now using your data against you.

Please stop treating data theft like Barney Fife level candy store theft. A huge portion of the time even if you know the name of the exact person who did it, there isn't going to be shit you can do about it.

devin
0 replies
1h40m

Parent comment never suggested it was legal. They said it would be bad if this info was in their SalesForce and they leaked the key, which they did.

Quarrel
0 replies
3h2m

It would also be pretty damaging if it includes their LPs.

wouldbecouldbe
5 replies
3h30m

I made a similar mistake actually.

We used a nodejs cms called apostrophecms that had an admin panel called global settings.

We used that for managing api keys to our auth server.

We only found out a few months in that it was outputted in the html source code. They did this so it was available to JS, of course it was in their docs. So not blaming them. We glossed over it.

Annoyingly we paid a reasonable amount of money for a pen test with one of the big consultancy companies but they also didn’t see it.

I ended up finding it and checking the logs seems like it wasn’t abused but it was shocking and a big leak

IshKebab
2 replies
2h34m

it was in their docs. So not blaming them. We glossed over it.

You should be blaming them. You can't excuse dangerous behaviour by documenting it. I feel like this lesson should be known by now.

suzzer99
0 replies
2h18m

If the panel setting was specifically for API keys, then yes, that's on apostrophecms.

If it's just some kind of generic settings with name/value pairs, then it might make sense to expose those to the browser, and make that very clear up front.

spookie
0 replies
1h58m

We always need to do our due diligence when using someone else's project. It's an open source project, available for free.

If they weren't very clear in the docs is one thing, but it doesn't appear so. Anyway, we won't combat these types of shenanigans by assuming others did everything up to snuff. We gotta be more careful ourselves.

samtho
0 replies
2h11m

Why were you using a web-based content management system for secret management?

mcfedr
0 replies
58m

I think I'd be looking for at least a refund on that pen test. I've never come across one that was anymore than a box ticking exercise.

tux3
4 replies
3h37m

    >a16z did not give me any bug bounty on this because of the fact i publicly reached out instead of trying to reach out privately. the only reason i did it this way was because:
    >    there was no available contact on their main site
    >    the email i could find engineering@a16z.com bounced my emails
The age-old practice of screwing over security researchers over any possible technicality is still alive and well. Brings tears to my eyes.

newyankee
1 replies
2h0m

Any legal basis to challenge this practice ? If a company claims that they pay bug bounties but use flimsy reasons like this to chicken out of seemingly genuine cases like these

pixl97
0 replies
1h35m

I'm guessing no, and even if their was they could make the litigation costs very high.

The sad thing here is what has to happen is the data needs sold off to blackhats to the point that entire countries get pissed and start putting near draconian level regulations and fines against companies like this to get them to stop this insecure bullshit.

hpeter
0 replies
2h7m

It only gets worse when the company that published their environment variables sues the security researchers for finding it. It happens.

Salgat
0 replies
2h23m

Just a heads up, another comment was posted here that shows right on their website's contact page a list of e-mails for contacting them.

Havoc
4 replies
3h35m

Pretty shitty to not even give a token amount bounty for such a broad hole

spyspy
3 replies
3h11m

The next time someone finds their keys, they're going to find this article and commit them to a public github repo instead...

Deathmax
2 replies
2h46m

You don't want to push secrets in their raw form on GitHub, secret scanning would disable keys from supported providers.

pixl97
0 replies
1h57m

Yea, they aren't going up on GH, they are going up on sketchy-site . ru

fragmede
0 replies
52m

that's the point

llmblockchain
3 replies
2h41m

It's pretty shocking how many commenters are blaming the individual for not "trying harder" to find contact information. It's pretty clear a16z didn't want to pay anything or appreciate the disclosure at all.

Finding random email addresses and sending them a notice would have gone no where other than spam folders. I get dozens of "disclosures" every week from mostly script kiddies that think my DKIM setting is somehow going to be the end of my business. My brain automatically ignores emails like it.

mrcode007
2 replies
2h25m

I’m surprised there is almost no discussion about the severity of reputational damage caused by an extremely amateur bug not expected of a prominent VC firm

llmblockchain
0 replies
2h2m

Yes... In my mind, there are three kinds of security bugs.

1. Caused by pure ignorance and completely avoidable (this bug).

2. Caused by subtle configurations, workflows, programming (mostly avoidable, secret scanning, security linters, code reviews, general intelligence, etc). This is where 99% of security bugs are.

3. Caused by a malicious actor aligning planets with a single intent to maximize their cause. You'll never stop these people (three letter agencies, state actors).

edit:

A must watch talk https://vimeo.com/95066828

altthrow24
0 replies
1h12m

Probably because a16z reputation has already been quite tarnished in recent years. This is par for the course. People will still take their massive bags of money and name brand boost but "these are smart, technical, 'making the world a better place' visionaries" as opposed to wealth chasing bankers, has already run the gamut.

See crypto, Clubhouse, "it's time to build [not in my Atherton neighborhood]", e/acc Nick Land manifesto, Trump '24 support, etc.

j-bos
3 replies
2h46m

The fact that this VC firm didn't provide bug bounty for such a gaping hole does not instill trust.

renewiltord
2 replies
2h27m

Yes, if they can’t do web development what does that say about their ability to deploy capital?

pavel_lishin
1 replies
2h12m

If my endodontist can't rebuild a car engine, what does that say about his ability to perform a root canal?

Turns out, not much.

kjkjadksj
0 replies
1h17m

Not a great analogy. Its more like if your endodontist hired a secretary who leaves the medical records unlocked, do you really trust them to be up to date with modern dental sensibilities when the rest of their office is ran so carelessly?

paxys
2 replies
2h22m

Stuff like this is what gives the entire security and white hat community a bad name.

1. "Surprise pentests" are illegal in the US and pretty much every jurisdiction in the world. If you are actively breaking into websites without a prior agreement, you are not doing anyone a favor. Save your efforts for companies that actually want you.

2. If the company doesn't have a published bug bounty program, they don't owe you anything. Yes they can still be nice and pay you, but they definitely won't if you disclose the vulnerability to the rest of the world without giving them a heads up and enough time to fix it.

3. "Oh I couldn't find an email address" is the worst excuse in the world. I found one after exactly 5 seconds of Googling (at the bottom of https://a16z.com/connect). And even otherwise there's Twitter, Instagram, LinkedIn and a hundred other ways to reach someone at the company if you really want to.

This is classic case of clout chasing over responsible disclosure.

csmpltn
0 replies
50m

They viewed the source code.

No.

"i like to do this thing where i search twitter, looking for companies, and then try giving them a quick pentest"

"the compromised list of services: their database (containing PII), their AWS, their salesforce (never checked, account may be limited), mailgun (arbitrary emails from a16z domains, and also could read older emails) ... and probably more"

By their own admission, this is a "pentest", and they were able to access a16z's "database" and ascertain that it contains PII. Amongst other services used by a16z.

I'm not the one to judge whether they crossed any legal (or moral) lines though.

hpen
2 replies
2h35m

Wait, do hackers feel entitled to money for finding security holes, even if there was never any signal of such reward?

hpen
1 replies
1h49m

Ha my actual question was downvoted. I guess people are as entitled as they say.

hpen
0 replies
30m

Actually, I think entitlement is the wrong word. Maybe more like "window washing panhandler who's upset because you don't give them money for their service"

ai4ever
2 replies
3h29m

they are busy writing a giant "architecture of generative AI" whitepaper. give them a pause, they are dreaming a future agentic world of half-assed chatbots.

while the world burns with botched software updates.

xyst
0 replies
3h15m

world is already burning with effects of climate change.

botched software updates on a Friday is just the chef’s kiss

stefan_
0 replies
1h45m

engineering@a16z.com bounced my emails

No surprise there.

xyst
1 replies
3h18m

When I create a new service and add LetsEncrypt cert to server via ACME. I immediately see logs filled with junk, obviously bots searching for shitty defaults that devs might leave open. I have even seen requests for the process env file lol.

How was such vuln not found and abused in this case? a16z is very lucky or maybe it was abused and not disclosed. Researcher or bored person with a kind heart/white hat hacker mindset is the first to reach out.

a16z should be fined heavily unfortunately there is no legal framework for this type of negligence

Quarrel
0 replies
3h4m

How was such vuln not found and abused in this case?

Maybe it was..

There might have been more value in leaving this one open than just screwing with them.

very_good_man
1 replies
2h28m

how do I disable the cat following my cursor animation on your website? how insanely distracting

neilv
0 replies
2h9m

uBlock Origin -> Dashboard -> My Filters -> add the line:

    ||www.kibty.town/files/js/oneko.js^$important

udev4096
1 replies
1h49m

The HN mods changed the title to a less embarrassing one. Not surprised

tux3
0 replies
1h44m

Oh, my comment must have been too critical of a16z as well. I see it has been moved from top to way bottom without a score change.

That's certainly one way to offer a response!

davedx
1 replies
3h27m

Maybe they should have installed CrowdStrike

avery17
0 replies
3h23m

Cant get hacked if youre bluescreened.

throw16z
0 replies
29m

even web3 could protect a16z ugh, thats very bad

sourcecodeplz
0 replies
18m

Too much javascript for everything (front & back) seems easy but for new developers it kind of blurs the lines between what should be on the server vs the client.

quantified
0 replies
3h26m

Isn't it fairly easy to get an address like marca's? I'm sure anyone who is responsible for the place would make the connection to IT security.

nuz
0 replies
2h44m

I like lower case tweets and texts but lower case in articles like this is just ridiculous (and trying too hard to be cool)

localfirst
0 replies
3h1m

a16z did not give me any bug bounty on this because of the fact i publicly reached out instead of trying to reach out privately.

I just don't understand this petty attitude. This almost guarantees next time somebody that finds vulnerability with a16z or any of its companies to seek black market rewards that will do far more damage.

This is just like when KakaoTalk refused to payout bug bounty because you had to be a Korean citizen which ended up causing more vulnerabilities to be discovered in the wild.

Companies and billionaires reading this, please don't be petty like Andreesen. Guy went from a leader to a borderline security fraud artist. You don't want to be earning more ire from the public in the current political climate. It's dangerous.

kva
0 replies
3h1m

Hopefully Martin Casado or one of the other awesome open source folks from a16z will take a look at this and make the person whole!

ilrwbwrkhv
0 replies
3h19m

Crypto bullshit - a16z pipeline is a great reflection of a16z as a firm.

ent101
0 replies
3h37m

When we released our open-source project[1], this hacker (Eva) pentested our project pretty extensively and was very professional in their disclosures. They didn't even ask for a bounty since we didn't have a program back then!

Eva is an incredibly gifted hacker and a responsible one, a16z should treat them better.

[1]: https://github.com/heyPuter/puter/

cromulent
0 replies
1h49m

It's really hard to generate "all due respect" for a16z.

asopd
0 replies
3h3m

I'm surprised he didn't try harder to contact someone in the company privately.

Surely any contact would have sufficed to at least try to get an introduction to their security team?

If you browse their website there are loads of email addresses for various offices and divisions.

JCharante
0 replies
3h35m

I agree that the bounty outcome is unfair.

Capricorn2481
0 replies
2h54m

From the techcrunch article:

“On June 30th, a16z addressed a misconfiguration in a web app that is used for the specific use case of updating publicly available information on our website such as company logos and social media profiles. The issue was resolved quickly and no sensitive data was compromised,”

What the fuck is this? They are blatantly lying here. There was a lot of sensitive data compromised. Anyone who inspected the site could have had access to everyones emails.