Hacker News new | ask | show | jobs
by x0x0 367 days ago
Maybe uncharitable, but it seems like BotGhost comprehensively doesn't take security seriously. Not only were there bad vulnerabilities, but they didn't have the logging (or didn't use it) to see who was affected; didn't want to roll keys; didn't want to announce; and didn't even have their own bots use their own security features. So yeah. I'm a bit more sympathetic if Discord decided that BotGhost in particular wasn't going to be using Discord's platform any more. Because I'd guess the probability these are the last of BotGhost's serious vulnerabilities to be about 0%.

So now botghost is doing a pentest. But I dunno... my guess at the likelihood of doing a good job backfilling security into a codebase that wasn't built with that as a core concern is also low.
1 comments
immibis 367 days ago
That logging you want (every command and response) would have been a huge GDPR violation.

I suppose they could have logged only if a bot token was detected in output. But if you'd think to do that, then why not also just block the output?

link
x0x0 367 days ago
You do not understand GDPR at all. Both performance of contract and legitimate interests cover security issues and associated logging.
link
immibis 365 days ago
Logging all user inputs and outputs forever "because what if there's a bug" (and you don't know what the bug will be) will not fly with any judge.
link
x0x0 363 days ago
> judge

Comprehensively unaware of the GDPR enforcement process also.

What will you google next, I wonder?

link