Hacker News new | past | comments | ask | show | jobs | submit login

Yeah this caught me off guard too- this basically means anyone on this chat service could do anything they wanted OR the chatbot was granted excess privileges on commission. Either way - serious violation of principles of least privileges.



My wild guess would be that they used chat rooms as a sort of access control.

If you are in the room with the bot, you can issue commands.

They could have forgotten that you can also just add the bot to another room. Major face palm, but plausible.


Certainly seems like the sort of idiotic mistake I could make.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: