Critical vulnerability in AI coding platform Base44 allowing unauthorized access

(www.wiz.io)

122 points waldopat | 4 comments | 30 Jul 25 16:12 UTC | HN request time: 0.025s | source

Show context

toddmorey ◴[30 Jul 25 19:02 UTC] No.44738229[source]▶

"The vulnerability we discovered was remarkably simple to exploit - by providing only a non-secret app_id value to undocumented registration and email verification endpoints." So you could sign yourself up as editor / collaborator on any app once you knew the app's ID.

Jeez, that's sloppy. My colleague in 2000 discovered you could browse any account on his bank's website by just changing the (sequential!) account IDs in the URL. In a lot of ways we've made great strides in security over the last 25 years... and in many ways, we haven't.

replies(4): >>44738468 #>>44738495 #>>44739179 #>>44743468 #

1. subw00f ◴[30 Jul 25 19:22 UTC] No.44738468[source]▶

>>44738229 #

Prepare for a whole new era of step backs when everyone is a “prompt engineer”.

replies(3): >>44739118 #>>44741806 #>>44744069 #

2. andersa ◴[30 Jul 25 20:27 UTC] No.44739118[source]▶

>>44738468 (TP) #

How nice to know they will be implementing the mandatory age verification systems for this new generation of the internet!

3. ◴[31 Jul 25 02:32 UTC] No.44741806[source]▶

>>44738468 (TP) #

4. Cthulhu_ ◴[31 Jul 25 10:02 UTC] No.44744069[source]▶

>>44738468 (TP) #

At least they're costly mistakes that a new generation of decision makers will hopefully learn from.

↑