The fact that this shitty application with a hardcoded OAI key also uses Supabase pairs perfectly with yesterday's story about Supabase's MCP implementation being impossible to actually secure and their engineer showing up in the comments going "the latest release probably won't leak data, hopefully, maybe". Just an endless fractal of shit, brought you by the AI future.
Oh well. At least there will probably be good money in cleaning up after these bozos.
Just when I felt we were at a point where it was acceptable to slow down progress for the sake of security we are now at a point where the speed is far too attractive to both stakeholders and a lot of the actual engineers to worry about the details.
> You are a Gen Z App, You are Pandu,you are helping a user spark conversations with a new user, you are not cringe and you are not too forward, be human-like. You generate 1 short, trendy, and fun conversation starter. It should be under 100 characters and should not be unfinished. It should be tailored to the user's vibe or profile info. Keep it casual or playful and really gen z use slangs and emojis. No Quotation mark
Did you contact the creator first with these findings? What was the creator's response, if any?
In any case I hope the creator was contacted, I'd say publishing active issues like this on a popular website would be arguably as bad as releasing insecure software.
> At first, I was wondering how he managed to even publish something like this, but I'm starting to think that Apple just got tired of rejecting it over and over.
Another reminder for the pile: the app store rules don't apply if you'll deliver them their sweet sweet 30% revenue cut
> Nearly a thousand children under the age of 18 with their live location, photo, and age being beamed up to a database that's left wide open. Criminal.
“[T]he privacy implications of using software built by someone whose productive output is directly tied to the uptime of Cursor is absolutely horrendous.”
The most perfect description of the world we live in right now.
The only thing AI is accelerating is our slide into idiocracy as we choose to hand over responsibility for the design and control of our world to slop.
When the AI killbots murder us all, it won’t be because they are taken over by an AGI that made the decision to exterminate us.. but simply because their control software will be vibe coded trash.
Instead of looking down on someone with less knowledge, consider it an opportunity to educate with kindness rather than contempt. Belittling others isn't a good look, nor does it make the world a better place. Perhaps there's an underlying pain you haven't identified, and judgment is a way you cope.
Poorly made slop aside, your framing of this just makes it look and sound like you're extremely bitter over losing a hackathon (?) to this guy. I think you should've focused on the company solely and dropped the snide and sarcastic references calling the CEO/dev a "hero" or "mastermind". It's not particularly mature or productive.
Great read. I wouldn't have had the restraint required not to spam a gazillion push notifications to everyone saying "UNINSTALL IMMEDIATELY" or something like that
This take is toxic. You could write the same article in 2001 and lament all the newcomers writing insecure applications in php3, or in 2009 with all the newcomers writing insecure applications with node.js.
The solution is not to aggressively shame people into doing things the way you learned to do them, but to provide not just education and support, but better tools and frameworks to build applications such as these securely.
I like the write up and it gave me vibes (no pun intended) of old era hacker zine submission, but at the same time it does come across as a bit too over the top, especially because there is no indication the app author even knows this stuff is out here now for everyone to see.
There is no way to police the quality of the (closed-source) software that is going to be put out there thanks to code assisting tools, and I think that will be the strongest asset of previous developers, especially full-stack, because if you do know what you are doing, the results are just beautiful. Claude code user here.
This post sounds like you lost to AI in a competition and decided to get revenge by stalking the author. I'm not even sure if you are actually concerned about its users or you're just using this information to justify the morality of your actions.
Why didn't you just send them an e-mail to warn them about the security issues?
I see in a comment that you did disclose. You should probably include that in your blog post or people will have the wrong idea about you.
30 comments
[ 3.6 ms ] story [ 48.0 ms ] threadOh well. At least there will probably be good money in cleaning up after these bozos.
> You are a Gen Z App, You are Pandu,you are helping a user spark conversations with a new user, you are not cringe and you are not too forward, be human-like. You generate 1 short, trendy, and fun conversation starter. It should be under 100 characters and should not be unfinished. It should be tailored to the user's vibe or profile info. Keep it casual or playful and really gen z use slangs and emojis. No Quotation mark
`ssh site@coal.sh`
In any case I hope the creator was contacted, I'd say publishing active issues like this on a popular website would be arguably as bad as releasing insecure software.
Another reminder for the pile: the app store rules don't apply if you'll deliver them their sweet sweet 30% revenue cut
> Nearly a thousand children under the age of 18 with their live location, photo, and age being beamed up to a database that's left wide open. Criminal.
Hope that $750 was worth it.
The most perfect description of the world we live in right now.
The only thing AI is accelerating is our slide into idiocracy as we choose to hand over responsibility for the design and control of our world to slop.
When the AI killbots murder us all, it won’t be because they are taken over by an AGI that made the decision to exterminate us.. but simply because their control software will be vibe coded trash.
The solution is not to aggressively shame people into doing things the way you learned to do them, but to provide not just education and support, but better tools and frameworks to build applications such as these securely.
What are we doing?
This describes plenty of businesses, both small and large.
There is no way to police the quality of the (closed-source) software that is going to be put out there thanks to code assisting tools, and I think that will be the strongest asset of previous developers, especially full-stack, because if you do know what you are doing, the results are just beautiful. Claude code user here.
Why didn't you just send them an e-mail to warn them about the security issues?
I see in a comment that you did disclose. You should probably include that in your blog post or people will have the wrong idea about you.