Rendered at 03:43:26 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
tcbrah 1 hours ago [-]
the wildest part is algolia just not responding. you email them saying "hey 39 of your customers have admin keys in their frontend" and they ghost you? thats way worse than the keys themselves imo. like the whole point of docsearch is they manage the crawling FOR you, but then the "run your own crawler" docs basically hand you a footgun with zero guardrails. they could just... not issue admin-scoped keys through that flow
stickynotememo 4 hours ago [-]
So why hasn't the HomeAssistant docs page been nuked yet?
netsharc 4 hours ago [-]
Man, talk about unnecessary graphs... ok graph 2 is maybe tolerable, although it's showing the popularity of the projects, not a metric of how many errors/vulnerabilities found in those projects.
I'm not a newspaper editor, but I think if this was an article for one, they'd also say the graphs are unnecessary. It smells of "I need some visual stuff to make this text interesting"...
throwaway5465 4 hours ago [-]
It's Friday night / Saturday morning. Who wants to be reading text?
Especially on night mode themes.
Besides, can we read anymore? In the age of 'GPT summarise it me' attention spans and glib commentary not about the content of the article being all many people have to add, perhaps liberal application of visualisations adds digestive value.
binarymax 3 hours ago [-]
Dude there’s only three graphs in there. Do they really bother you that much? The third may be a bit unnecessary but I think the visuals add to the post.
netsharc 3 hours ago [-]
So you agree partially with what I said.
The poster is 16, he can take it as feedback towards effective writing. Or the intellectual HN crowd can just downvote it and dissuade me from contributing and helping a kid (oh look at me, how fucking noble am I, right?).
Ah, that feeling of "Am I the only one who gets it around here?". I wanted to explain to you why graph 2 is dumb, and graph 1 is very little information, but heck, I felt dissuaded.
shermantanktop 2 hours ago [-]
If you’re “helping a kid” then I guess I can help you. Help is criticism delivered with a constructive tone. Criticism can be helpful if you look past the tone.
If you want to help, you should sound helpful.
integralid 3 hours ago [-]
I liked the graphs. When skimming posts i often stop on graphical elements and decide if I want to understand the context or continue skimming. In this context, all three graphs were useful for me.
Posts with just text are sense and just not nice to read. That's why even text-only blog posts have a tendency to include loosely-related image at the top, to catch reader's eye.
2 hours ago [-]
TechSquidTV 3 hours ago [-]
I have been developing an OpenClaw-like agent that automates exactly this type of attack.
_pdp_ 3 hours ago [-]
Why? This is just regex search and there are plenty of tools that do this perfectly fine.
system2 2 hours ago [-]
None of those proven tools would make a man feel like a wannabe Mr. Robot.
fix4fun 5 hours ago [-]
Interesting how many people already are playing with these API keys ? ;)
toomuchtodo 5 hours ago [-]
Great write up. Reminder that if you commit these to a Github Gist and the provider partners with GitHub for secrets scanning, they’ll rapidly be invalidated.
pwdisswordfishy 5 hours ago [-]
That's just a tautology.
"If the secrets issuer partners with X-corp for secret scanning so that secrets get invalidated when you X them, then when you X them the secrets will be invalidated".
The above is a true statement for all X.
nightpool 4 hours ago [-]
? Yes? Toomuchtodo is reminding the author (and other commenters), that github gists are one way to make sure secrets are secured / remediated before making a public post like this. Maybe not the most responsible whitehat action, but I can see it being useful in some cases where outreach is impractical / has failed.
Unfortunately, it doesn't look like Algolia has implemented this
TurdF3rguson 3 hours ago [-]
I'm not following this at all. It seems like OP is saying if you share a secret in your (private?) gist and give Algolia permission to read the gist, they will invalidate it. But why would the secret be in a gist and not a repo? Also if you're aware enough to add that partner it seems you're aware to not do dumb things like that in the first place.
richbell 3 hours ago [-]
If you find an exposed token in the wild, for a service supported by GitHub Secret Scanning, uploading it to a Gist will either immediately revoke it or notify the owner.
TurdF3rguson 2 hours ago [-]
Ok I see, so any public gist with an algolia key in it will get invalidated? And it would have to follow some pattern like ALGOLIA_KEY=xxx ?
3 hours ago [-]
wat10000 4 hours ago [-]
English is not formal logic.
In formal logic, that statement is true whether X is GitHub, or Lockheed-Martin, Safeway, or the local hardware store.
In English, the statement serves to inform (or remind) you that GitHub has a secret scanning program that many providers actually do partner with.
pwdisswordfishy 3 hours ago [-]
Yes, and in the real world where Grice's Maxim of Relevance is in force, then when the secrets issuer that is the subject of the discussion isn't one of those partners, then an informative "reminder" that GitHub "has a secret scanning program" with a bunch of other partners is not actually informative. It's as superfluous and unhelpful as calling to let someone know you're not interested in the item they've posted for sale on Craiglist (<https://www.youtube.com/watch?v=xWG3jKzKcm8>).
wat10000 3 hours ago [-]
It's more useful than telling someone that their statement is a tautology in formal logic.
richbell 3 hours ago [-]
How is reminding people that they can safely revoke exposed API keys not informative? Why are you being so combative?
I'm not a newspaper editor, but I think if this was an article for one, they'd also say the graphs are unnecessary. It smells of "I need some visual stuff to make this text interesting"...
Especially on night mode themes.
Besides, can we read anymore? In the age of 'GPT summarise it me' attention spans and glib commentary not about the content of the article being all many people have to add, perhaps liberal application of visualisations adds digestive value.
The poster is 16, he can take it as feedback towards effective writing. Or the intellectual HN crowd can just downvote it and dissuade me from contributing and helping a kid (oh look at me, how fucking noble am I, right?).
Ah, that feeling of "Am I the only one who gets it around here?". I wanted to explain to you why graph 2 is dumb, and graph 1 is very little information, but heck, I felt dissuaded.
If you want to help, you should sound helpful.
Posts with just text are sense and just not nice to read. That's why even text-only blog posts have a tendency to include loosely-related image at the top, to catch reader's eye.
"If the secrets issuer partners with X-corp for secret scanning so that secrets get invalidated when you X them, then when you X them the secrets will be invalidated".
The above is a true statement for all X.
Unfortunately, it doesn't look like Algolia has implemented this
In formal logic, that statement is true whether X is GitHub, or Lockheed-Martin, Safeway, or the local hardware store.
In English, the statement serves to inform (or remind) you that GitHub has a secret scanning program that many providers actually do partner with.