hckrnws
This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow gets big name customers who don't properly vet the security of the platform, ship a massive vulnerability that could pwn millions of users and the person who reports the vulnerability gets...$5k.
If I recall last week Mintlify wrote a blog post showcasing their impressive(ly complicated) caching architecture. Pretending like they were doing real engineering, when it turns out nobody there seems to know what they're doing, but they've managed to convince some big names to use them.
Man, it's like everything I hate about modern tech. Good job Eva for finding this one. Starting to think that every AI startup or company that is heavily using gen-ai for coding is probably extremely vulnerable to the simplest of attacks. Might be a way to make some extra spending money lol.
You bet not all THW vulnerabilities are reported to the vendors. Not with 5k bounty for THAT.
Yeah thats the scary thing. I know it's a bit of a meme about how as programmers we don't trust other programmers or software, but it's becoming more and more true and necessary. I want to use as little software as possible these days.
Yeah it made me re-evaluate how much I can trust those platforms
THW?
Chill - just because someone got hacked doesn't mean their product is trash. Easily every mass adopted product created prior to 2023 has been hacked at some point.
That makes it worse, not better. Because for those applications the code was audited and not hallucinated.
> This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow ...
Is there any indication Mintify was "vibe coded"?
I'm giving them the benefit of the doubt, as the alternative would be that their developers are completely incompetent. The vulnerability is the equivalent to letting a user save HTML to a database and then injecting it into every page completely unsanitized.
Mintlify had a blacklist in place to not allow them to do this with most file types. Someone failed to add SVG to it. It's not like they weren't thinking about security. The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org. But even a competent person can make a crucial mistake.
A whitelist is safer than a blacklist. Unfortunately you risk losing those customers that won't be able to load their media, won't contact support, will use a different service.
The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org.
Comment was deleted :(
Comment was deleted :(
How is a company like mintlify getting so many big name customers for what appears to be a static site generator + hosting? Is there some secret sauce I'm missing, what is the value proposition?
Lots of these companies are YC companies, and they tend to use other YC products. For those that aren't, its easier to just use what other big names are using, and having YC as a backing name is quite useful in that regard.
Convenience and developer uncertainty. I fall pray to the "it's paid, so it must be better" fallacy, and the "they know what they are doing, they are pros" illogicality.
$5k is such a small payout for this sort of finding.
Related:
We pwned X, Vercel, Cursor, and Discord through a supply-chain attack
Crafted by Rajat
Source Code