[ShaneMcGowan]

I too like to hardcode my AWS secret keys in my frontend application

[stestagg]

Admittedly the example was a bit fake :)

I /have/ put other secrets into frontend code before, strictly for small temporary projects where the cost of implementing secret management outweighs the size of the project. And obviously not in code that was anywhere close to being deployed outside my own box.

Unfortunately the method outlined in the article allows access to environments that would otherwise be considered trusted and not-accessible over the internet, hence the problem

[ChuckMcM]

You do realize that your evil server could in fact send something back to your exploit to ask it to send something back to the server it connected to right?

   evil-server
      (looks at data from client)
      (recognizes well known server app)
         (launches exploit!)

The first one that comes to mind is built in "package updaters" where the front end server has a well defined way of updating its packages. Have your evil server send it "get a new version of fetch_user_passwords from here..."

[enahs-sf]

Fake though the example may be, I wouldn’t underestimate its ability to stumble upon something useful if you could garner enough traffic.

- you would probably only need a handful of ports

- it really only takes one person pasting that AWS key into their file to get pwned and I’m sure someone has those keys committed to GitHub right now.

- how many tabs do you have open of random tech blogs right now? Excluding HN, my guess is the average dev has at least one.

Not a super plausible attack, but over a long period of time with decent SEO, could probably deliver some interesting results.

[ShaneMcGowan]

I completely understand friend, have done the very same

[koprulusector]

Ha! I came here to say this. I also enjoy putting my secrets in post-it notes on my monitor.

[im3w1l]

I mean if it's a company internal app...