|
|
|
|
|
|
by waldopat
55 days ago
|
|
|
While everyone is revoking OAuth apps, rotating API keys, and deleting Vercel accounts, this is a good reminder that the scary part is how short the path was from OAuth token to employee account to internal systems to customer secrets. Many folks here likely have some stack that looks like: Google Workspace, GitHub, Vercel/Railway/Render/etc. where env vars or secrets are hosted. These are all loosely coupled but transitively trusted. So compromising any one of them becomes a threat vector. In other words, if System A trusts System B, and System B trusts System C, then System A trusts System C. This is also why OpenClaw is frightening from a security perspective. Also, this is a good reminder to run audits. Run `npm audit` on a typical Next.js project and you’ll probably see DoS vulnerabilities, ReDoS issues, Prototype pollution, code injection paths, handlebars etc. I'm sure you'll find something unexpected if you don't have routine code hygiene checks. |
|
|