frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Securing a DoD Contractor: Finding a Multi-Tenant Authorization Vulnerability

https://www.strix.ai/blog/how-strix-found-zero-auth-vulnerability-dod-backed-startup
81•bearsyankees•1h ago

Comments

ryanisnan•53m ago
Yikes, Schemata and that delinquent CEO should be held accountable.
DougN7•51m ago
Would it be possible to stop using aXXb nomenclature within the titles? Some of us aren't hip enough to know what all of them mean.
bearsyankees•50m ago
apologies, just a vc firm
tomhow•10m ago
The guidelines require using the same title on HN as is on the original post.
tptacek•8m ago
Even when the author submits? :)
bearsyankees•5m ago
oh apologies, thanks for the reminder
beambot•50m ago
Their website is literally a16z.com... you'd rather say Andreessen-Horowitz, which is just as arbitrary as a16z? They're one of the top VC firms on the planet -- exceedingly relevant for the HN audience.
DougN7•41m ago
I'll be honest - I was thinking authorization (a11n?) - so I didn't read it closely enough. But despite that, and being on HN from almost the beginning (with a different account I lost the password to), I still didn't know what a16z was, though I do recognize Andreessen-Horowitz.
Semaphor•34m ago
Opposite for me, I've seen a16z tons of time on HN, and also the domain where sometimes, but the full name would have meant nothing to me.
rectang•33m ago
I didn't either. This is an ancient debate that can never be resolved completely, though — because the articles that HN submissions point to don't follow a style guide and there are always assumptions about audience priors. Best to just resolve it and move on.
krisoft•15m ago
> you'd rather say Andreessen-Horowitz, which is just as arbitrary as a16z

Yes. I know Andreessen-Horowitz and I don’t know a16z. Reading the title i thought it will be about the cryptography serialisation specification. Turns out i was mixing it up with ASN.1.

> Their website is literally a16z.com

I hear now. Before this if pressed i would have guessed that they probably have a website indeed. If you would have twisted my arm my guess would have been andersenhorovitz.com (yup, with the typos. I learned the correct spelling today from your comment.)

> exceedingly relevant for the HN audience

We contain multitudes.

operatingthetan•15m ago
They just want to sound technical.
rectang•50m ago
a16z = "Andreessen Horowitz", for those not in the know. (The acronym is not expanded in the article. EDIT: OP has fixed the article.)
bearsyankees•47m ago
fixed now
rectang•45m ago
Thanks! Happy to have my comment hidden by the mods if they get around to it.
bearsyankees•45m ago
appreciate the feedback!!
bearsyankees•46m ago
https://x.com/strix_ai/status/2051361018450948511
bryancoxwell•41m ago
> Their initial reply from the CEO: "I would love to hear what the vulnerability is, but I assume you want to get paid for it. Is that the play?"

Well that’s pretty damning.

tencentshill•30m ago
They could sell the next one to an adversary for a lot more money if they're going to act like that.
lixtra•20m ago
Yes, there are also many other lucrative illegal activities.
tardedmeme•17m ago
Isn't it also illegal to withhold knowledge of a vulnerability for payment? It sounds like it should fall under some variety of blackmail.
cyberax•23m ago
I keep getting emails with the content like: "I found a critical bypass vulnerability in your app what is the appropriate channel to disclose it, and do you have a bounty program?"

I tried engaging and replying to them, and it inevitably turns into: "Yeah, we don't actually have the vulnerability, but you are totally vulnerable, just let us do a security audit for you".

I have a pre-written reply for these kinds of messages now.

Galanwe•17m ago
From the looks of it, they actually asked for a way to report.
bdangubic•8m ago
email security@company
cyberax•8m ago
Yeah. I'm just saying how it could have been overlooked. Doesn't excuse it, though.
janice1999•19m ago
Finally the AI security startup hustlers will keep the other tech startup hustlers in line. Maybe the era of devastating leaks and total disregard for user privacy will come to an end (doubtful).
bearsyankees•17m ago
LOL
codegeek•16m ago
"There was no meaningful organization scoping, no tenant isolation, and no permission check preventing a low-privilege user from accessing other organizations' records."

Let me guess though. They are SOC2 and ISO compliant right ?

tardedmeme•15m ago
I wonder if this is how Handala group stole the list of service members recently.

How do people find these vulnerabilities within the immense scope of the whole internet? Are they going around with some kind of generic API scanner that discovers APIs?

tptacek•9m ago
Initial take: as vulnerability stories go, this is a pretty boring one; what they have here is a target that was secured largely by the fact that few people knew about it. The most work done in this blog post is establishing that a training platform deployed by DoD might be much more sensitive than the same kinds of applications which are ubiquitous throughout corporate America and which are generally boring targets.

The vulnerability itself appears to be something anyone with mitmproxy would have spotted within minutes of looking at the platform; apparently, rotating object IDs worked everywhere in the app, and there was no meaningful authz.

It's interesting if AI systems can "spot" these, in the sense of autonomously exercising the application and "understanding" obvious failed authz check patterns. But it's a "hm, ok, sure" kind of interesting.

Ways to Make Cold

https://hackaday.com/2026/05/04/strange-ways-to-make-cold/
1•beardyw•12s ago•0 comments

Vine video-sharing app is back

https://www.theguardian.com/technology/2026/may/04/vine-video-sharing-back-battling-ai-slop-divine
1•andsoitis•1m ago•0 comments

Media Queries Range Syntax

https://ishadeed.com/article/range-syntax/
1•soheilpro•1m ago•0 comments

Who do Americans spend time with over their lives?

https://ourworldindata.org/who-do-americans-spend-time-with-over-their-lives
1•ndr42•2m ago•0 comments

Lawful-access bill could threaten encryption, Canadian Chamber of Commerce warns

https://www.theglobeandmail.com/politics/article-lawful-access-bill-could-threaten-encryption-det...
1•EmbarrassedHelp•2m ago•0 comments

Three kinds of derivative applied to the ReLU (ramp) function

https://www.johndcook.com/blog/2026/04/30/derivative-of-relu/
1•ibobev•3m ago•0 comments

Approximating even functions by powers of cosine

https://www.johndcook.com/blog/2026/04/30/burmanns-theorem/
1•ibobev•3m ago•0 comments

The Shape of a Guitar Pick

https://www.johndcook.com/blog/2026/05/03/guitar-pick/
1•ibobev•4m ago•0 comments

Trusted Remote Execution: Policy-Enforced Scripts for AI Agents and Humans

https://aws.amazon.com/blogs/opensource/introducing-trusted-remote-execution-policy-enforced-scri...
1•cold-sandwich•4m ago•0 comments

US Supreme Court temporarily restores access to mail-order abortion pills

https://www.theguardian.com/us-news/2026/may/04/mifepristone-abortion-pill-supreme-court
1•andsoitis•5m ago•0 comments

Evacuations planned as suspected hantavirus outbreak traps 150 on cruise ship

https://www.cbc.ca/news/health/suspected-hantavirus-outbreak-cruise-ship-9.7186704
1•geox•5m ago•0 comments

Websites for Humans

https://felix.plesoianu.ro/web/log//websites-for-humans.html
1•speckx•5m ago•0 comments

Grove.el: an Obsidian-like note-taking mode for Emacs

https://github.com/jonathanchu/grove
3•devonnull•8m ago•1 comments

DHS Demanded Google Data on Canadian's Activity, Location over Anti-ICE Posts

https://www.wired.com/story/dhs-demanded-google-surrender-data-on-canadians-activity-location-ove...
4•HotGarbage•9m ago•0 comments

A solo entrepreneur's map of online money

https://wkdomains.com/2026/may/solo-entrepreneur/
1•fcpguru•14m ago•0 comments

One API for WhatsApp, SMS, and Email. SendAPI

1•nimana•15m ago•0 comments

Scqos – A 9-gate pre-execution coherence kernel for deterministic computation

https://indigo-major-newt-582.mypinata.cloud/ipfs/bafkreifpkzdkmjka26nm4q7gdnzry7hm53a5kngjzyeyuo...
1•Knowledgee_KZA•15m ago•0 comments

Braids as a Representation Space of SU(5)

https://arxiv.org/abs/1506.08067
1•marysminefnuf•16m ago•0 comments

Show HN: Systemd-Recalld

https://github.com/erkinalp/recalld
1•anticensor•17m ago•1 comments

GameStop's Cohen Sees New Target and Big Possible Payday in eBay

https://www.bloomberg.com/news/articles/2026-05-04/gamestop-s-cohen-sees-new-target-and-big-possi...
1•p1anecrazy•17m ago•1 comments

Longevity Science Is Overhyped. But This Research Could Change Humanity

https://www.nytimes.com/2026/04/27/magazine/cell-rejuventation-biotech-longevity-research-altos-l...
2•leetgent•19m ago•1 comments

Show HN: Spinal – Prod aware code review and validation

https://sre.spinal-labs.com/login?next=%2Findex.html
1•mahendraroopa•19m ago•0 comments

Show HN: HeatSpectra: A realtime 3D heat transfer simulator

https://github.com/tsun3doku/HeatSpectra
1•tsun3doku•19m ago•0 comments

Steam Controller

https://store.steampowered.com/hardware/steamcontroller
2•fk_fk•21m ago•1 comments

How to: Get Alerted When a Stripe Charge Fails – No Cloud Vendor Required

https://centrali.io/blog/alert-stripe-charge-failures
1•centrali•21m ago•0 comments

The Thinking Plant's Man (2025)

https://www.sciencehistory.org/stories/magazine/the-thinking-plants-man/
1•benbreen•21m ago•0 comments

How much of our personalities are determined at birth?

https://www.bbc.com/future/article/20260501-nature-vs-nurture-how-much-of-our-personalities-are-d...
2•bookofjoe•23m ago•0 comments

Ask HN: What are you doing this week?

1•SpyCoder77•23m ago•1 comments

Mapcv: A high-performance satellite imagery dataset creation tool

https://tahamukhtar20.github.io/mapcv/
1•jonbaer•23m ago•0 comments

Native macOS app to track YouTube channels, no Google login required

https://github.com/agentcooper/Telik
1•SpyCoder77•24m ago•0 comments