this post was submitted on 03 Sep 2023
153 points (100.0% liked)

Technology

73758 readers
4297 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
153
Hacker gains admin control of Sourcegraph and gives free access to the masses (arstechnica.com)
submitted 2 years ago by L4s@lemmy.world to c/technology@lemmy.world
2 comments fedilink hide all child comments
 

Hacker gains admin control of Sourcegraph and gives free access to the masses::We've said it before; we'll say it again: Don't put credentials in publicly available code.

you are viewing a single comment's thread
view the rest of the comments
[–] autotldr@lemmings.world 21 points 2 years ago (1 children)

This is the best summary I could come up with:

An unknown hacker gained administrative control of Sourcegraph, an AI-driven service used by developers at Uber, Reddit, Dropbox, and other companies, and used it to provide free access to resources that normally would have required payment.

On August 30 (2023-08-30 13:25:54 UTC), the Sourcegraph security team identified the malicious site-admin user, revoked their access, and kicked off an internal investigation for both mitigation and next steps.”

The resource free-for-all generated a spike in calls to Sourcegraph programming interfaces, which are normally rate-limited for free accounts.

“The promise of free access to Sourcegraph API prompted many to create accounts and start using the proxy app,” Comas wrote.

Sourcegraph personnel eventually identified the surge in activity as “isolated and inorganic” and began investigating the cause.

The token gave users the ability to view, modify, or copy the exposed data, but Comas said the investigation didn’t conclude if that actually happened.

The original article contains 437 words, the summary contains 148 words. Saved 66%. I'm a bot and I'm open source!

[–] lilShalom@lemmy.basedcount.com 3 points 2 years ago

Hope they have good audit logs.