Weekly review cw 35
This week has shown me the importance of external input. The insights and revelations they yield often have far-reaching consequences. But what does that have to do with a bug bounty hunter? Read for yourself.
I enjoy strolling and exploring the places I travel to. While doing so, I reflect on the world around me. Typically, to-dos come to mind. I rarely gain truly new insights. Occasionally, I come across beautiful houses and their gardens, which inspire new ideas for my own home.
It was similar this summer in Sweden. My family and I took a small ferry. It connects the mainland with an island. Limestone used to be mined there. Today, on one side, houses are owned by wealthy people. On the other side, it's rugged. After our walk through this idyllic landscape, lunchtime is already over, but there's still time until dinner. The perfect moment for coffee and cake—or as the Swedes put it in one word: fika.
On the way, we noticed a small house with a terrace that resembled a café. In fact, the ground floor features an area that resembles an open living room, where the owner sells coffee, cake, ice cream, and cinnamon rolls. Before I leave, I look for the restrooms after having two cups of coffee. I find what I'm looking for upstairs. But there's much more there.
Bounty hunt
This week I received an email. At first glance, it wasn't unusual. The title caught my attention: “Critical Security issue: Company Clerk API key disclosed in public GitHub repo.” Phew, that's probably spam. Especially with a Gmail address like “name456@gmail.com.” I have plenty of those for my newsletter, and they never confirm the double opt-in.
But I had a bad feeling. So I opened GitHub and checked the Sociabli backup repo. Luckily, I was sitting at that moment. The repository was (deliberate past tense) public. Everything stored there could be read by anyone. After a quick check, it was clear: This wasn't spam, but a friendly tip from a bug bounty hunter.
From that moment on, work was in full swing. All secrets were invalidated, even if this meant the service was temporarily unavailable. The corrupted passwords were then recreated and reconfigured. Because API keys were available, the accounts could also have been accessed without our ability to verify them. A lot could have happened, but it was a possible scenario. So, we also checked and modified what was accessible via the API.
To our knowledge, nothing was changed by unauthorized individuals. The posts we cross post with Sociabli are public anyway, so this information is not sensitive. The access has been changed, and the backup is now done in a private repository. In the long term, we will remove the secrets from the backup and store them separately and encrypted.
As a final step, Maurice and I will investigate how the situation even occurred. It's crystal clear that such sensitive information has no place in a backup, let alone a public repository. Nevertheless, something went wrong in our 'Infrastructure as Code' rollout. We will improve this so that this is prevented by automation and an alarm is triggered.
The Studio on the Upper Floor
Upstairs, I expected two doors—one for women and one for men. What awaited me was something entirely different. A completely open-plan attic full of paintings opened up before me. Completely forgetting why I came upstairs, I approached the paintings. The paintings were grouped into sections. Within each section, the style of drawing was utterly different.
A man noticed my curious glances. He approached me and asked me something about a painting. We started talking. He told me about his inspiration for the respective content. One of the paintings was a combination of seven individual images that flowed into one another. I asked him if he decided one day to make that painting or if he needed to practice.
His answer was unambiguous. He makes hundreds of attempts, discarding each one until he finds one he considers good enough for the exhibition. He has an idea or a plan, or rather, a rough idea, of what the painting should look like beforehand. Furthermore, he then works through it. Try by try until he's satisfied. Then he thinks of something new and starts again. This artist has a growth mindset.
This has shown me that as much as I enjoy strolling and exploring alone, it's still useful, at least occasionally, to exchange ideas with others—ideally strangers—and think and talk about ideas.
