I absolutely despise Firebase Firestore (the database technology that was "hacked"). It's like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.

A Firestore database facing the client directly on any serious project is a code smell in my opinion.

[–] LovableSidekick@lemmy.world 7 points 4 hours ago

Securing the db is more of an ops thing.

[–] fmstrat@lemmy.nowsci.com 37 points 7 hours ago (1 children)

Peak Vibe Coding results.

[–] funkless_eck@sh.itjust.works 12 points 4 hours ago (1 children)

while True:

Jesus Christ

[–] FooBarrington@lemmy.world 11 points 4 hours ago (2 children)

You know that's not the Tea code, but the downloader, right?

[–] The_Decryptor@aussie.zone 1 points 1 hour ago

They're also not using requests very efficiently, so who knows.

[–] fmstrat@lemmy.nowsci.com 5 points 4 hours ago (1 children)

Other reports state the Tea backend was Vibe Coded: https://www.ainvest.com/news/tea-app-data-breach-exposes-72-000-users-ai-generated-code-security-lapse-2507/

[–] FooBarrington@lemmy.world 10 points 4 hours ago* (last edited 4 hours ago)

Sure, it might be, I'm not saying it isn't. All I'm saying is: the screenshot shows the code someone wrote to download the images. It's not part of the Tea codebase.

[–] cupcakezealot@piefed.blahaj.zone 12 points 7 hours ago (2 children)

who'd have thought that javascript and client side programming was incredibly susceptible to security flaws and deeply unsafe

[–] lena@gregtech.eu 31 points 6 hours ago (2 children)

As much as I dislike JavaScript, it isn't responsible for this. The person (or AI) and their stupidity is.

[–] cupcakezealot@piefed.blahaj.zone 2 points 1 hour ago

but it didn't help; it was basically the gasoline

[–] levzzz@lemmy.world 5 points 4 hours ago (1 children)

When i tried making a website with gemini cli it did deadass use string interpolation for sql queries so everything is possible

[–] Dultas@lemmy.world 1 points 3 hours ago (1 children)

Robert'); DROP TABLE Students; --

[–] cupcakezealot@piefed.blahaj.zone 1 points 1 hour ago

aw bobby

[–] axEl7fB5@lemmy.cafe 15 points 6 hours ago (1 children)

who'd have thought that being shitty programmer was incredibly susceptible to security flaws and deeply unsafe instead of javascript

[–] Witchfire@lemmy.world 5 points 5 hours ago (1 children)

No, it must be JavaScript that is the problem

principal_skinner.jpg.exe

[–] cyrano@lemmy.dbzer0.com 6 points 5 hours ago (1 children)

Microsoft defender identified a malware in this executable.

[–] 01189998819991197253@infosec.pub 3 points 3 hours ago

Wow. It actually identified something?

[–] taiyang@lemmy.world 64 points 11 hours ago (1 children)

This reminds me of how I showed a friend and her company how to get databases from BLS and it's basically all just text files with urls. "What API did you call? How did you scrape the data?"

Nah man, it's just... there. As government data should be. They called it a hack.

[–] kieron115@startrek.website 12 points 5 hours ago* (last edited 5 hours ago)

ah yes, the forbidden curl hack

load more comments