Hacker News new | past | comments | ask | show | jobs | submit login

Chatbot is just another type of user interface. Just like web, mobile, voice, etc all have ACL, I would expect that bots and chat user have different permissions.



Yeah this caught me off guard too- this basically means anyone on this chat service could do anything they wanted OR the chatbot was granted excess privileges on commission. Either way - serious violation of principles of least privileges.


My wild guess would be that they used chat rooms as a sort of access control.

If you are in the room with the bot, you can issue commands.

They could have forgotten that you can also just add the bot to another room. Major face palm, but plausible.


Certainly seems like the sort of idiotic mistake I could make.


Even ignoring the security aspects, i'd be a little worried a new hire would accidentally type something like "what does\nkill all servers" mean into a channel and then accidentally do stuff.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: