Rygian 7 hours ago

I don't understand what is being encouraged here.

Something is seriously wrong when we say "hey, respect!" to a company who develops an unauthenticated RCE feature that should glaringly shine [0] during any internal security analysis, on software that they are licensing in exchange for money [1], and then fumble and drop the ball on security reports when someone does their due diligence for them.

If this company wants to earn any respect, they need at least to publish their post-mortem about how their software development practices allowed such a serious issue to reach shipping.

This should come as a given, especially seeing that this company already works on software related to security (OpenAuth [2]).

[0] https://owasp.org/Top10/2025/ - https://owasp.org/Top10/2025/A06_2025-Insecure_Design/ - https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/ - https://owasp.org/Top10/2025/A05_2025-Injection/

[1] https://opencode.ai/enterprise

[2] https://anoma.ly/

Reply View 5 replies
  • Cornbilly 21 minutes ago

    I’ve noticed this a lot with startup culture.

    It’s like an unwritten rule to only praise each other because to give honest criticism invites people to do the same to you and too much criticism will halt the gravy train.

    Reply View 0 replies
  • GoblinSlayer 6 hours ago

    Honestly RCE here is in the browser. Why the browser executes any code in sight and this code can do anything?

    Reply View 3 replies
    • Rygian 6 hours ago

      It's called "the world wide web" and it works on the principle that a webpage served by computer A can contain links that point to other pages served by computer B.

      Whether that principle should have been sustained in the special case of "B = localhost" is a valid question. I think the consensus from the past 40 years has been "yes", probably based on the amount of unknown failure possibilities if the default was reversed to "no".

      Reply View 2 replies
      • GoblinSlayer 5 hours ago

        owasp A01 addresses this: Violation of the principle of least privilege, commonly known as deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.

        Indeed, deny by default policy results in unknown failure possibilities, it's inherent to safety.

        Reply View 1 reply
        • pixl97 44 minutes ago

          >Violation of the principle of least privilege

          I completely agree with this, programs are too open most of the time.

          But, this also brings up a conundrum...

          Programs that are wide open and insecure typically are very forgiving of user misconfigurations and misunderstandings, so they are the ones that end up widely adopted. Whereas a secure by default application takes much more knowledge to use in most cases, even though they protect the end user better, see less distribution unless forced by some other mechanism such as compliance.

          Reply View 0 replies