|
|
|
|
|
|
by pm90
481 days ago
|
|
|
This is the most mealy mouthed disclosure ever. Shame on them. How can an employees 2FA misconfiguration lead to someone else accessing these repos? 2FA setups are supposed to prevent this sort of thing. If I had to guess it was someone on the “devops/sre/infra” team that usually has god mode access that were setting up some integration and disabled 2FA for testing or something for a test account … but it would have had to be disabled for a while for the attacker to get access. What kind of customer data were they storing in their repository? Were they storing raw webhook data/API responses in github gists or something (wouldn’t put it past them). As a sidenote, Ive worked with folks from zapier and Im not impressed with their engineering. Their integrations are super fucking brittle, its like it was designed by toddlers. I would not depend on them for any kind of business critical functionality. |
|
|
I’m not sure who you worked with, but I worked for several years with both engineers and the CTO, and I strongly disagree with your assertion regarding their engineering prowess. It is one of the most engineering focused companies I have ever worked at in ~25 years, and at least while I was there, the bar was high (and continued to rise during my tenure).
Security is hard, perfect security is impossible. You prioritize workload to the best of your ability, and hope you outrun adversaries. Sometimes, you will lose, and you have a plan for that. People are always the weakest link.
Integrations are brittle because integrating with thousands of APIs is hard, and APIs are constantly changing underneath the system. In my opinion, the core was robustly architected and implemented (although it has changed over time).
(head of security at a fintech, 10+ years security in financial services)