When I create a new service and add LetsEncrypt cert to server via ACME. I immed... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		xyst on July 20, 2024 \| parent \| context \| favorite \| on: Researcher finds flaw in a16z website that exposed... When I create a new service and add LetsEncrypt cert to server via ACME. I immediately see logs filled with junk, obviously bots searching for shitty defaults that devs might leave open. I have even seen requests for the process env file lol. How was such vuln not found and abused in this case? a16z is very lucky or maybe it was abused and not disclosed. Researcher or bored person with a kind heart/white hat hacker mindset is the first to reach out. a16z should be fined heavily unfortunately there is no legal framework for this type of negligence

Quarrel on July 20, 2024 | [–]

> How was such vuln not found and abused in this case?

Maybe it was..

There might have been more value in leaving this one open than just screwing with them.

wouldbecouldbe on July 22, 2024 | [–]

To be fair, their main site doesn't seem super interesting. Couple of those credentials, such as OKTA seem bad though.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact