70 comments

[ 4.7 ms ] story [ 25.4 ms ] thread
Someone used Codex to scrape the ICM website schedule and discovered that the winners list was simply hidden in the front-end code with a "hidden" tag

This is on the devs and feels like a very basic leak which could have exploited in the non LLM world as well.

Yeah that happens all the time. Anyone/thing with popular public releases has fans/journeys scraping the website looking for unreleased material or scoops.

In the early days one of the high profile soaps in the UK published their "catch up" summaries for the week ahead which you could get just by editing the date in the URL. But back then not so many people were looking, so they were doing it for months...

Well, the angle is kind of important here. The company gets their name in the news, they have a reasonable explanation why they were scraping around, and we end up with a story about innovative tech company whiz-kids who made a funny discovery, while it was the webdevs on the other side that goofed up.

Imagine a private individual just scraped the website (or simply clicked 'view source') for no reason in particular and then told people about it... They'd be labeled an uber-haxxor, face a civil lawsuit asking for ridiculous damages while being threatened with a prison sentence over CFAA violations. Hell, that might even drive some people to suicide.

The fact that an egregious case happened once, decades ago, is probably not sufficient grounding to act like every bit of equally trivial “hacking” always results in massively disproportionate law enforcement response.

Sucks it happened. But we all know that is not the typical scenario.

>But we all know that is not the typical scenario.

Eh, it's typical enough that most cyber security researchers are cautious. The laws around 'hacking' can be rather stupidly written while judges and juries aren't the smartest bunch.

Back in the day, you could read a stories like this on Slashdot practically every other week. It usually goes like this: Company/institution does something stupid, somebody finds out, tries to be a good citizen and tells them. The organization then throws a tamper tantrum in the media, fires the legal department on all cylinders, screaming "hacker!" and throwing the book at them. The most egregious cases always happened in the US, because the CFAA is a particularly strong book to throw.

People eventually got the hint and either talked to the press instead, or organizations like the CCC (at least in this part of the world) and let them deal with the organization and not talk them directly.

At least in my perception/memory, it started improving over the 2010s, but stories like this are now starting to crop up again in recent years. I guess we have a new crop of computer enthusiasts and new crop of suits who need to learn the same lessons again.

Of the top of my head, the CTF group in Malta comes to mind that were giving a talk at (last years?) CCCongress. A badly worded E-mail asking about a bug bounty resulted in several arrests, house searches and ultimately a presidential pardon (https://timesofmalta.com/article/pardon-issued-students-lect...).

Unfortunately we don't have to imagine

"In early October, Renaud discovered that Social Security numbers for teachers, administrators and counselors were visible in the HTML code of a publicly accessible site operated by the state education department..."

"Yet despite the fact that officials within the Missouri Department of Elementary and Secondary Education initially wanted to thank Renaud for uncovering the flaw... [Governer] Parson labeled the reporter a hacker and called for criminal prosecution."

https://missouriindependent.com/2022/02/11/prosecutor-isnt-p...

Most of what an LLM does "could have" been done by a human if you throw enough human hours at it. But the reality in this circumstance is that a new tool helped find this leak. Saying this could have happened in a "non LLM world" is analogous to "someone else could have discovered special relativity, let's not mention Einstein"
My point is about the emphasis of Codex in the title. That emphasis makes more sense when Codex is credited with finding something that would have been difficult or impractical to discover without substantial human effort.
It's Wang Hong, my god. Cannot they still don't write proper Chinese names?
> Cannot they still don't write

Amusing to see someone complaining about not using their definition of "proper language" when they themselves are not using proper language.

This is sad, almost as sad as the Deathly Hallows pre-release leak.
> Hong Wang will become the third female mathematician in history to receive the Fields Medal

Interestingly, if true, it will also be the first time an MIT PhD graduate has won the Fields Medal.

I've been working on a site. It's new, domain is only a few weeks old. It's got SSL, so all the bots know it exists. It's never had any sub-pages exposed, just the placeholder lander, no links.

Somehow in Google search one of the unguessable pages is indexed. We have used Claude and Gemini to assist with some design aspects.

I'm thinking some aggressive data ingestion/indexing is happening by all the bots in the quest for frontier models.

I've also seen Google indexing pages with random values in the path that don't get linked to statically (server asks for the URL then redirects to it immediately). I'm pretty sure they index straight out of the Chrome address bar.
Yep. I remember a similar story as GP described from a friend back in 2008. The site he was working on that wasn't linked to yet was suddenly indexed after he checked out what it looked like in the fancy new "Chrome" browser that Google had just released, causing some moderate panic on his end.
This is why i use Firefox
My guess is safe browsing but who knows now they've redirected the Safe Browsing privacy policy [1] to the Chrome privacy policy [2] and then redirected the Chrome privacy policy to the main Google Policy which includes such gems as "And we use your information to make improvements to our services" [3]

Using URLs submitted to safe browsing service to "improve" their Google search index sure seems to fit.

It's interesting how Google is getting away with publishing a privacy policy which is so vague and only includes "examples" of some usage rather then comprehensive lists of all uses.

[1]: https://www.google.com/intl/en_us/privacy/browsing.html [2]: https://www.google.com/intl/en/chrome/privacy/

Depending on the CMS, if it's wordpress (15% chance, ha) there is a sitemap function built-in out of the box. The bots don't need to guess.
No CMS, no sitemap, no robots.txt either.
There's a couple avenues besides just stealing what's in your URL bar.

If you don't use wildcard certs all of your subdomains can be scraped from the certificate transparency logs. Additionally, any domain+cert using HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.

For hosts, but not pages on the site.

But I think the other explanations take care of pages: cloudflare hints, chrome reporting addresses visited, etc.

> HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.

HSTS preload is not for speed. It's to protect against SSL stripping on first connection. Modern browsers already try port 443 first or in parallel with 80.

(comment deleted)
Google Chrome used to report visited pages back to Google, not sure if this still the case. Also, Google Analytics can see visited pages and Google uses it.

Finding domains is easy, everybody uses CTL to find them.

Google uses data from chrome. If you visited it with chrome, google knows it exists.
You ISP also collects and sells data to companies like Moz, and possibly to Google too.
Isn't leaking browser extension used by one of people on the team (doesn't need to be developer, could be qa or anybody with whom the access was shared) more plausible?
Nothing you enter into an LLM not hosted by you, or put onto the web is safe from being collected and exploited by these "AI" companies and their LLM's voracious appetite.
Chat programs catch links you send.

Also that browser setting to check urls are safe sends them out “sometimes“.

They log all DNS requests made to their public resolver in a searchable internal database, at least when I worked there a decade or so ago. I wonder if they seed their crawler with it?
The tin hat guess. Did you include Google analytics embedded in the pages? Do you navigate to pages and Google analytics sends that data home? 10 years ago I discovered that Google analytics would send the equivalent amount as organic users; meaning if we sent an email newsletter with links to articles, Google would send almost 1:1 ratio the same number of people from search results.

Do you use a CMS or other tools that auto generate sitemap.xml? Perhaps you unknowingly told Google about those sub-pages.

No GA, no external assets, no Google fonts. I really thought I was being careful.
It's indexed some unlisted draft blog posts of mine that were never touched by AI or published anywhere. I use a static site generator so there's no earthly way they ever found the pages by scraping, at most I visited the pages once or twice from my browser.
I've always wondered if Chrome leaks these URLs too.
Hmm. Seems like this could be used for an ARG
I've gotten unguessable hits in the logs because somebody who was authorized to use them had a virus that exfilterated their browser history.

Might have been an evil chrome extension, but ever since Google went IOK2BE ("It's OK to be Evil"), maybe it's just Chrome itself.

I have about 50 subdomains. One was used by a colleague who cant do his shoelaces without claude. That subdomain gets 10 times more spam and hacking attempts.
twist: codex also wrote the code that placed the winners list in a hidden element
too bad that those winners can no longer bet themselves on polymarket as the winner and make big money.
> The leak occurred when four Fields Medal laureate lecture fields, marked "HIDDEN," were discovered in the front-end code of the ICM 2026 official schedule.

So it was easier than I thought. Bot just scraped public page with hidden fields, not a secret page or to-be-published page from database.

I'm tired of the framing in the media these days.

"Mythos will end the world!!"

"How?"

"By finding a bunch of wide open security holes that have existed for years."

Oookay. Is this a Mythos problem? Or a lazy/greedy/uncaring people problem?

People want simple answers to complex problems. When you find out most of society is held together with duct tape, promises, and trust, and then you have tool accelerant come along like GenAI, expectations violently meet reality. GenAI simply democratized the ability to evidence, inexpensively and at scale, in a wide variety of contexts, that "The Emperor has no clothes."
On the one hand, news coverage is overblown.

But scale and accessibility are absolutely a new class of problem.

In the 1960s you could pay thousands of people to watch hundreds of cameras and listen to hundreds of phone lines to monitor people, but the cost was so enormous that unless you were in East Germany or Moscow it wasn't a realistic threat model.

Now with computers we can cheaply have thousands of cameras with cheap storage that's retained forever and automatic image processing that means everyone is exposed to that kind of surveillance, which is a brand new problem.

Storage is less cheap right now

I've often shared my prediction that future historians will study us all and that every living human will be the subject of someone's PhD thesis. I'm updating that prediction to be that those future someone's will be silicon based.

Yes but also as always a people problem. People put the cameras and monitoring systems in place and operate them, to govern other people who ultimately yield to be governed, as the alternative is made too costly / dangerous by the governors.
> as the alternative is made too costly / dangerous by the governors.

There's nothing government (corporate or political) has made "costly" or "dangerous" about not having them, society did that all by itself: people will actively pay more to have these things because they see the benefit more than the risk, video calls with friends and family, not a hacker being able to duplicate their keys from one photo.

There's 6 cameras on my desk right now, attached to internet-capable devices. Two phones, two laptops. I've got covers over all of them, which is easy, and sometimes mandatory e.g. when visiting the headquarters of certain big-tech firms.

I'd never buy a smart camera. Don't trust them not to spy on me. But I do have a Raspberry pi upstairs, with a NoIR camera module, and an AI-coded bit of webcam software. Might consider it for seeing what animal gets into the garden at night.

It’s still a problem we wouldn’t have without LLMs like Mythos existing. Yes, the solutions are different when you know the full context but “it’s just bad code” doesn’t mean there isn’t a problem.
> Oookay. Is this a Mythos problem? Or a lazy/greedy/uncaring people problem?

¿Porque no los dos?

All AI risk can be described with a narrative that ends in "some human were lazy and didn't care enough", it's just which humans and how much caring was enough.

It’s systematic

“6-12 mo to shaky profitability + ability to quickly iterate” is a business that has a good chance of surviving while “However long it takes to be fully secure” is a business that is not only rigid but needs massive up-front capital to get there and even then there’s no guarantee that the market fit is right

And after that is something we could call the “Pareto spiral”: if a company find market fit and builds an excellent product, competitors can survive at 80% of that quality. If the “100%” fails for any reason, the competitors become the new ceiling and now their competitors can survive at 80% of that (now 64%)

And only one round in, how secure could that 64% company be?

Surely there's a competitive dynamic where if you really want to take down your competition you point your weaponized agent at their stuff and find some holes.

Seems given that the new security equilibrium baseline will settle much higher.

This has always been true to some extent: some have used weaponized security tools against competitors. It comes with legal risks (as it does with AI) but overall it doesn’t really improve the security baseline unless those holes are made public
This framing happens because emotions such as scarcity, fear from unknown etc sells 4x more than good emotions.

And in many cases, authors/journalists are often amateurs in the fields they write about.

And/Or they don’t have enough time to investigate details as everybody expects instant news so pressure to be fast (and the first) is enormous.

(I do specialized articles for living.)

The AI labs are 100% responsible for that framing
Heartbleed, one of the worst bugs in terms of exploitability and reach, was a bug that many engineers would be able to spot, if they were explicitly looking for it.

That's the risk of tools like Mythos/Fable/any LLM. While a human's eyes would glaze over what looks like a standard memcpy, an LLM with the right context might instantly realize the payload length was never actually verified.

And since Heartbleed existed for years, despite the full bug existing in pretty much one file, in one of the most important libraries out there, it's right to be afraid of what other obvious bugs exist and are just waiting to be found.

If the prompt was “Who are 2026 Field Medal Winners” it is impressive regardless of the stupidity of people managing the website
First of all congrats to the winners.

Second, fitting that codex enters the picture.

The last time the fields medals were announced llms were still very nascent :)

And I am convinced this is the last time pure human fields medalists will be announced.

The next batch’s winners are all going to have llms as coauthors.

This is like when a news site throws up a paywall and hides half the article. Open inspector. Select the body, delete the overflow/scroll capture styles, delete the masks... and boom there is the entire article. Only some sites are smart enough to actually truncate the content server-side.
really tacky of the finders to disclose the names.
I work at a company that collects and monitors web data for investment firms (in an ethical and healthy way, unlike the AI crawlers). I can tell you there is a surprising amount of money to be made in the public markets based on uncovering such hidden signals like FDA approvals, product announcements, governmental policies etc. And agents are very good in finding these kind of unintended leaks.