Comment by basilikum

Comment by basilikum 2 days ago

5 replies

View on Hacker News

> I've personally witnessed this happen to at least 3-4 production apps in the past year alone.

There is something seriously wrong in your organization when that's a repeating pattern. Secrets don't just accidentally make their way into the frontend unless the way you manage secrets is fatally flawed. Offensive security tools are great for finding issues by playing the role of an adversary, but they are not the solution to such an already known grave, fundamental, organizational problem.

hrimfaxi 2 days ago

You're not wrong. How are these things passing review? Are prs too big and should be broken down into more manageable pieces? Or people just yolo to prod?

Secrets exposure is just one of your problems if there are not processes in place to catch this upstream.

That being said, this is a show hn and we should be gentler with criticism. The tool is still very useful even for mature organizations to identify blind spots and process failures.

Reply View 3 replies
  • amaldavid a day ago

    Yep, Github does a wonderful job flagging secrets most times but irrespective of that this is happening in some sites. This was built out of personal curiosity and I had put it out for public because I myself was not aware if this will be actually useful and if so in what form. People do YOLO to prod, we have more kids building AI wrappers than I can count, and somewhere in that chaos secrets slip through the cracks.

    Ideally I would have loved this to be a chrome plugin or part of the CI/CD pipeline or put it out as an adversary agent for all of these new vibe coded apps but don't think I'm that vested into the idea yet. Thanks for being gentle :)

    Reply View 0 replies
  • [removed] a day ago
    [deleted]
    Reply View 0 replies
amaldavid a day ago

Well, when i meant "personally" not in the app I manage. I have a quirk of checking sites to understand what they are using and how they are using and have stumbled upon sites with exposed Gemini, Google Maps, OpenAI keys etc.

https://news.ycombinator.com/item?id=45741569 - It was also partly inspired by this as I have seen legacy sites making these mistakes quite often.

With all the vibe coded apps that are getting launched or were launched early, there are enough holes to plug. This is just an attempt to help individuals or orgs to ensure they are not exposed. Just pushed it out what I had in mind based on my experience.

And I agree with you that an adversary approach won't work if we can't fix the underlying problem but the world has changed with enough vibe coded apps that are getting shipped everyday and very little of them care or know about security.

Reply View 0 replies