How to hack Discord, Vercel and more with one easy trick

48•todsacerdoti•1h ago

Comments

devrupt•1h ago

llmslave2•1h ago

This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow gets big name customers who don't properly vet the security of the platform, ship a massive vulnerability that could pwn millions of users and the person who reports the vulnerability gets...$5k.

If I recall last week Mintlify wrote a blog post showcasing their impressive(ly complicated) caching architecture. Pretending like they were doing real engineering, when it turns out nobody there seems to know what they're doing, but they've managed to convince some big names to use them.

Man, it's like everything I hate about modern tech. Good job Eva for finding this one. Starting to think that every AI startup or company that is heavily using gen-ai for coding is probably extremely vulnerable to the simplest of attacks. Might be a way to make some extra spending money lol.

subscribed•59m ago

You bet not all THW vulnerabilities are reported to the vendors. Not with 5k bounty for THAT.

guizadillas•52m ago

Yeah it made me re-evaluate how much I can trust those platforms

llmslave2•37m ago

Yeah thats the scary thing. I know it's a bit of a meme about how as programmers we don't trust other programmers or software, but it's becoming more and more true and necessary. I want to use as little software as possible these days.

gruez•46m ago

> This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow ...

Is there any indication Mintify was "vibe coded"?

llmslave2•38m ago

I'm giving them the benefit of the doubt, as the alternative would be that their developers are completely incompetent. The vulnerability is the equivalent to letting a user save HTML to a database and then injecting it into every page completely unsanitized.

sans_souse•51m ago

$5k is such a small payout for this sort of finding.

ChrisArchitect•25m ago

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

https://news.ycombinator.com/item?id=46317098

ollybee•8m ago

How is a company like mintlify getting so many big name customers for what appears to be a static site generator + hosting? Is there some secret sauce I'm missing, what is the value proposition?

tommica•3m ago

Convenience and developer uncertainty. I fall pray to the "it's paid, so it must be better" fallacy, and the "they know what they are doing, they are pros" illogicality.

Naughty Dog Studio Orders Employee Overtime for 'Intergalactic'

A TS library for connecting videos in your Mux account to multi-modal LLMs

Plaintext Casa First Release

The Art of Vibe Design

Starlink 35956 suffered a failure with venting of the propulsion tank

CVSS 10.0 HPE OneView RCE bug identified

Wyoming Blasted by 123 MPH Winds on Wednesday and More Wind to Come

Token-Count-Based Batching: Faster, Cheaper Embedding Inference for Queries

New X-ray images show interstellar comet as it makes closest approach to Earth

Trump media group agrees $6B merger with Google-backed fusion energy company

A Starlink Satellite Exploded

LionsOS Design, Implementation and Performance

Mitsubishi Electric Technology Detects Intoxication During Driving

LLMs' impact on science: Booming publications, stagnating quality

GIJN's Top Investigative Tools of 2025

BoltCache: A High-Performance Redis Alternative Built in Go

2005 Elon Musk Sounded Like Satoshi Nakamoto

Two Kinds of Vibe Coding

Control Panel for Twitter

Model hallucinations aren't random. They have geometric structure

Analytical dashboards and AI chat: local dev to prod (Vercel and Boreal)

Most Top-Achieving Adults Werent Elite Specialists in Childhood, New Study Finds

FAA Warns of Military Aircraft Flying Undetected in Caribbean

GitHub delays GHA price increase

Ask HN: Is there an open source "turbopuffer"?

Calculate founder dilution across funding rounds

Ask HN: How to spend L&D/Training funds before the end of the year?

Obscure Polish company launches 122.88TB PCIe 5.0 immersion cooled SSD

State of Radicle CI in 2025

Backprop in Rust ML lib blogpost