So I haven’t had much time to post about it, but #buildinpublic inspired me to share my recent work. Checkout https://t.co/w1dY5BZvxX for a simplified time management system that deals with diversity in various kinds of things we have to plan and schedule.
#buildinginpublic
i went to https://t.co/0yaHjrptb3. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request.
got back 959 email addresses and 3,165 internal feature flags.
employees from Home Depot. Fortinet. Autodesk. Tenable. Rakuten. Mayo Clinic. Permira. Akin Gump. government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland Australia, and New Zealand. a Microsoft contractor. 71 clickup employees.
fortinet sells enterprise firewalls. tenable makes Nessus, the vulnerability scanner half the industry runs. their employees emails are exposed because clickup hardcoded a third party API key in a javascript file that loads before you even log in.
this was first reported to clickup through hackerone on January 17, 2025. its now April 2026. the key has not been rotated. i just pulled the response five minutes ago. every email is still there.
clickup raised $535 million at a $4 billion valuation. claims 85% of the Fortune 500 use their platform. looks like the proof is in the page source.
@CloakdDev I don't think it's people downloading TestFlight on secured devices, but rather people using insecure personal devices for all sorts of stuff.
@CloakdDev@tayvano_@GivnerAriel Just to be clear, I'm not saying that you're wrong, just exploring this further since this is something that I'm actually currently working on.
@CloakdDev@tayvano_@GivnerAriel I'm actually curious how you would really set that up. Having a separate VLAN for this machine totally makes sense, but I'm assuming you're talking about keeping this in an office building on a separate network/subnet? That still leaves physical security.
@CloakdDev@tayvano_@GivnerAriel I don't think it's overkill really. Most data centers that run important stuff already assume that level of security and banks enforce quite a bit of this as well that are expected to keep the money safe.
@HackingDave Yeah I’ve had the same experience. I also don’t like that Claude does a lot of decision making for me when I want it to follow some basic instructions.
It then thinks that it’s super smart and following “standards” and revert my code that was there for a good reason.
@k1rallik Welcome to the world of market making. This is really common and something that HFT firms have been doing for a while. It’s just catching on the prediction markets.
Excited to disclose my research allowing RCE in Kubernetes
It allows running arbitrary commands in EVERY pod in a cluster using a commonly granted "read only" RBAC permission. This is not logged and and allows for trivial Pod breakout.
Unfortunately, this will NOT be patched.
Caved and got o1 Pro.
I asked it my favorite question to ask these models, and it gave much more interesting answers than either o1 preview or Claude 3.5 Sonnet.
They're not quite as mind-bending as I'd want -- I've seen a version of all of them except #7 -- but still better: