I was one of the “lucky” few to witness the school of slur-fish.
Being in security I laughed because of how egregious it was but also because I knew someone on HN with some actual time on their hands to help properly would be along soon.
I also appreciate this post mortem. Vibe-coded anything in prod is a lot of my work load in IR these days but it was nice to see such a low stakes project properly documented.
I am sure someone somewhere works on making LLMs commit code. Aside from that it was great witnessing the site in action and reading the postmortem. I wonder how the "hacker" made the connection to the user acount on neopets.com but maybe they just tried something like "ahallak"?
Here in Zurich there's a mural of maybe twenty dinosaurs (not accurate but something that looks like it would be in a children's book). One day someone drew a dick on every single dinosaur. Even the flying pterodactyl had a big dick hanging off of him. It was so puerile and primitive it cracked everyone up that saw it. No tags. No football club graffiti. Just dicks everywhere. Thankfully the mural was repaired pretty quickly.
Great post-mortem, especially since it's a vibe-coded app.
Curious if you were inspired by Lego's build-a-fish* exhibit at the Lego House? I visited recently and it is ridiculously addictive to see a fish you create swim with others :)
I read the HN thread first, and the first comment I saw from the author was about AI nazi symbol detector they put in... I wonder how many orders of magnitude that comment increased interest in making offensive fish?
Later I saw images of the attacked site posted elsewhere and thought they were both predictable and hilarious.
A better group psychological approach might have been to only name the penis filter, ye. Then the transgressions are on the vandal who can't rationalize it is sticking it to the man, but that he is just that guy drawing swastikas.
I was proud of my ability to have an extremely penis looking fish get past filters. I feel like when presented with censorship my instinct is to always test its limits
To be fair, it says the attention was unexpected, and this was just a coding exercise... And the port-mortem shows what I'd hope to see: digging in and figuring out root causes. So I'm not judging OP poorly over this.
But still. Launching a vibe-coded app that accepts input from anonymous users is just asking for trouble. I'm frankly surprised it ran as long as it did without such problems. (Although I did see a few weenies swimming around even before the problem hours.)
The lesson I'd pull from this is that if you are not the type of dev who could put together a post-mortem along these lines... don't launch a vibe-coded app.
Ultimately an app like this caused more joy than harm. I'm all for people vibe coding fun little things like this when the stakes are low. Would prefer to see more non coders with diverse ideas feeling empowered to start a project rather than them seeing a huge wall to climb and never starting. The web needs more silly apps from silly people.
> I used the JWT to authorize login, but never confirmed that the JWT token belonged to the userId / email associated with it in the admin actions. So you could log in with my username and password, grab the JWT, and then send that along with your request.
IANAWD: What is more appropriate than an admin token being able to authenticate admin actions?
An admin token, that's presented by the admin it belongs to.
It's like I have a security access card to gain entry to a building, it's not really serving its purpose if I give you my pass and you turn up, they need to check it belongs to the person presenting it.
Got a killer original idea, got it built, learned a ton, is embarrassed about a few failures because he’s actually a solid professional. Well done, mate. If it didn’t cost you $100k, take down the network or lose you your job, you’re ahead and will laugh in a year.
I've noticed with nearly all of these "Vibe Code" security fatalities, they're nearly ALWAYS using Firebase as a backend. I get it, I've used Firebase for a number of enterprise and personal projects, its convenient and easy to setup.
But even before LLM coding, I had team members walk into its numerous footguns - especially around public buckets and bad firestore rules. How many of these stories are really to be blamed on the AI tooling, and how many could be blamed on the very poor default settings of Firebase?
42 comments
[ 3.6 ms ] story [ 37.1 ms ] threadBeing in security I laughed because of how egregious it was but also because I knew someone on HN with some actual time on their hands to help properly would be along soon.
I also appreciate this post mortem. Vibe-coded anything in prod is a lot of my work load in IR these days but it was nice to see such a low stakes project properly documented.
> It is really fun to just have high velocity, and it is really fun to not do code reviews and to just push stuff.
Was slurfish fun?
Looks like if you don't like doing deep and thorough code reviews, LLM-generated code is not for you.
As the author concludes, "...LLMs are a tool. They let you generate a lot of code really fast...it is up to you to review it"
Yes.
Here in Zurich there's a mural of maybe twenty dinosaurs (not accurate but something that looks like it would be in a children's book). One day someone drew a dick on every single dinosaur. Even the flying pterodactyl had a big dick hanging off of him. It was so puerile and primitive it cracked everyone up that saw it. No tags. No football club graffiti. Just dicks everywhere. Thankfully the mural was repaired pretty quickly.
I can draw a fish facing left, but for some reason it's very difficult to draw one facing right.
POST https://fishes-be-571679687712.northamerica-northeast1.run.a... {"fishId":"xxxx","vote":"up"}
Curious if you were inspired by Lego's build-a-fish* exhibit at the Lego House? I visited recently and it is ridiculously addictive to see a fish you create swim with others :)
https://www.youtube.com/watch?v=KYs3ne0HCwM
Later I saw images of the attacked site posted elsewhere and thought they were both predictable and hilarious.
At least people trying to see if they can get around a fish detector are going to preferentially submit toilets and tires (and dicks, sure). :)
Well, there ya go.
To be fair, it says the attention was unexpected, and this was just a coding exercise... And the port-mortem shows what I'd hope to see: digging in and figuring out root causes. So I'm not judging OP poorly over this.
But still. Launching a vibe-coded app that accepts input from anonymous users is just asking for trouble. I'm frankly surprised it ran as long as it did without such problems. (Although I did see a few weenies swimming around even before the problem hours.)
The lesson I'd pull from this is that if you are not the type of dev who could put together a post-mortem along these lines... don't launch a vibe-coded app.
IANAWD: What is more appropriate than an admin token being able to authenticate admin actions?
It's like I have a security access card to gain entry to a building, it's not really serving its purpose if I give you my pass and you turn up, they need to check it belongs to the person presenting it.
Is it pretty common to get doxxed for getting to the top of HN?
https://drawafish.com/rank.html?userId=1754341779700_log2xle...
Edit: it's been deleted.
But even before LLM coding, I had team members walk into its numerous footguns - especially around public buckets and bad firestore rules. How many of these stories are really to be blamed on the AI tooling, and how many could be blamed on the very poor default settings of Firebase?