Hacker NewsHacker News
Securing a DoD Contractor: Finding a Multi-Tenant Authorization Vulnerability
76 points by bearsyankees 2 hours ago | 22 comments
codegeek 2 minutes ago
"There was no meaningful organization scoping, no tenant isolation, and no permission check preventing a low-privilege user from accessing other organizations' records."

Let me guess though. They are SOC2 and ISO compliant right ?

reply
bryancoxwell 27 minutes ago
> Their initial reply from the CEO: "I would love to hear what the vulnerability is, but I assume you want to get paid for it. Is that the play?"

Well that’s pretty damning.

reply
cyberax 9 minutes ago
I keep getting emails with the content like: "I found a critical bypass vulnerability in your app what is the appropriate channel to disclose it, and do you have a bounty program?"

I tried engaging and replying to them, and it inevitably turns into: "Yeah, we don't actually have the vulnerability, but you are totally vulnerable, just let us do a security audit for you".

I have a pre-written reply for these kinds of messages now.

reply
Galanwe 3 minutes ago
From the looks of it, they actually asked for a way to report.
reply
tencentshill 16 minutes ago
They could sell the next one to an adversary for a lot more money if they're going to act like that.
reply
lixtra 6 minutes ago
Yes, there are also many other lucrative illegal activities.
reply
tardedmeme 2 minutes ago
Isn't it also illegal to withhold knowledge of a vulnerability for payment? It sounds like it should fall under some variety of blackmail.
reply
janice1999 5 minutes ago
Finally the AI security startup hustlers will keep the other tech startup hustlers in line. Maybe the era of devastating leaks and total disregard for user privacy will come to an end (doubtful).
reply
bearsyankees 3 minutes ago
LOL
reply
rectang 36 minutes ago
a16z = "Andreessen Horowitz", for those not in the know. (The acronym is not expanded in the article. EDIT: OP has fixed the article.)
reply
bearsyankees 33 minutes ago
fixed now
reply
rectang 31 minutes ago
Thanks! Happy to have my comment hidden by the mods if they get around to it.
reply
bearsyankees 31 minutes ago
appreciate the feedback!!
reply
DougN7 36 minutes ago
Would it be possible to stop using aXXb nomenclature within the titles? Some of us aren't hip enough to know what all of them mean.
reply
beambot 35 minutes ago
Their website is literally a16z.com... you'd rather say Andreessen-Horowitz, which is just as arbitrary as a16z? They're one of the top VC firms on the planet -- exceedingly relevant for the HN audience.
reply
krisoft 36 seconds ago
> you'd rather say Andreessen-Horowitz, which is just as arbitrary as a16z

Yes. I know Andreessen-Horowitz and I don’t know a16z. Reading the title i thought it will be about the cryptography serialisation specification. Turns out i was mixing it up with ASN.1.

> Their website is literally a16z.com

I hear now. Before this if pressed i would have guessed that they probably have a website indeed. If you would have twisted my arm my guess would have been andersenhorovitz.com (yup, with the typos. I learned the correct spelling today from your comment.)

> exceedingly relevant for the HN audience

We contain multitudes.

reply
DougN7 26 minutes ago
I'll be honest - I was thinking authorization (a11n?) - so I didn't read it closely enough. But despite that, and being on HN from almost the beginning (with a different account I lost the password to), I still didn't know what a16z was, though I do recognize Andreessen-Horowitz.
reply
Semaphor 19 minutes ago
Opposite for me, I've seen a16z tons of time on HN, and also the domain where sometimes, but the full name would have meant nothing to me.
reply
rectang 19 minutes ago
I didn't either. This is an ancient debate that can never be resolved completely, though — because the articles that HN submissions point to don't follow a style guide and there are always assumptions about audience priors. Best to just resolve it and move on.
reply
bearsyankees 36 minutes ago
apologies, just a vc firm
reply
bearsyankees 32 minutes ago
reply
ryanisnan 39 minutes ago
Yikes, Schemata and that delinquent CEO should be held accountable.
reply