frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

How to hack Discord, Vercel and more with one easy trick

https://kibty.town/blog/mintlify/
74•todsacerdoti•3h ago

Comments

devrupt•2h ago
See also https://news.ycombinator.com/item?id=46317098
llmslave2•2h ago
This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow gets big name customers who don't properly vet the security of the platform, ship a massive vulnerability that could pwn millions of users and the person who reports the vulnerability gets...$5k.

If I recall last week Mintlify wrote a blog post showcasing their impressive(ly complicated) caching architecture. Pretending like they were doing real engineering, when it turns out nobody there seems to know what they're doing, but they've managed to convince some big names to use them.

Man, it's like everything I hate about modern tech. Good job Eva for finding this one. Starting to think that every AI startup or company that is heavily using gen-ai for coding is probably extremely vulnerable to the simplest of attacks. Might be a way to make some extra spending money lol.

subscribed•2h ago
You bet not all THW vulnerabilities are reported to the vendors. Not with 5k bounty for THAT.
guizadillas•2h ago
Yeah it made me re-evaluate how much I can trust those platforms
llmslave2•2h ago
Yeah thats the scary thing. I know it's a bit of a meme about how as programmers we don't trust other programmers or software, but it's becoming more and more true and necessary. I want to use as little software as possible these days.
dfc•38m ago
THW?
gruez•2h ago
> This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow ...

Is there any indication Mintify was "vibe coded"?

llmslave2•2h ago
I'm giving them the benefit of the doubt, as the alternative would be that their developers are completely incompetent. The vulnerability is the equivalent to letting a user save HTML to a database and then injecting it into every page completely unsanitized.
agosta•21m ago
Mintlify had a blacklist in place to not allow them to do this with most file types. Someone failed to add SVG to it. It's not like they weren't thinking about security. The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org. But even a competent person can make a crucial mistake.
agosta•27m ago
Chill - just because someone got hacked doesn't mean their product is trash. Easily every mass adopted product created prior to 2023 has been hacked at some point.
sans_souse•2h ago
$5k is such a small payout for this sort of finding.
ChrisArchitect•1h ago
Related:

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

https://news.ycombinator.com/item?id=46317098

ollybee•1h ago
How is a company like mintlify getting so many big name customers for what appears to be a static site generator + hosting? Is there some secret sauce I'm missing, what is the value proposition?
tommica•1h ago
Convenience and developer uncertainty. I fall pray to the "it's paid, so it must be better" fallacy, and the "they know what they are doing, they are pros" illogicality.

Beginning January 2026, all ACM publications will be made open access

https://dl.acm.org/openaccess
1145•Kerrick•7h ago•129 comments

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

https://gist.github.com/hackermondev/5e2cdc32849405fff6b46957747a2d28
433•hackermondev•3h ago•173 comments

GPT-5.2-Codex

https://openai.com/index/introducing-gpt-5-2-codex/
294•meetpateltech•4h ago•170 comments

Texas is suing all of the big TV makers for spying on what you watch

https://www.theverge.com/news/845400/texas-tv-makers-lawsuit-samsung-sony-lg-hisense-tcl-spying
324•tortilla•2d ago•183 comments

How China built its ‘Manhattan Project’ to rival the West in AI chips

https://www.japantimes.co.jp/business/2025/12/18/tech/china-west-ai-chips/
126•artninja1988•4h ago•111 comments

Skills for organizations, partners, the ecosystem

https://claude.com/blog/organization-skills-and-directory
212•adocomplete•5h ago•135 comments

Classical statues were not painted horribly

https://worksinprogress.co/issue/were-classical-statues-painted-horribly/
509•bensouthwood•10h ago•253 comments

Two kinds of vibe coding

https://davidbau.com/archives/2025/12/16/vibe_coding.html
31•jxmorris12•1h ago•13 comments

T5Gemma 2: The next generation of encoder-decoder models

https://blog.google/technology/developers/t5gemma-2/
70•milomg•3h ago•10 comments

Delty (YC X25) Is Hiring an ML Engineer

https://www.ycombinator.com/companies/delty/jobs/MDeC49o-machine-learning-engineer
1•lalitkundu•2h ago

The Legacy of Nicaea

https://hedgehogreview.com/web-features/thr/posts/the-legacy-of-nicaea
17•diodorus•5d ago•0 comments

How did IRC ping timeouts end up in a lawsuit?

https://mjg59.dreamwidth.org/73777.html
99•dvaun•1d ago•11 comments

Show HN: Picknplace.js, an alternative to drag-and-drop

https://jgthms.com/picknplace.js/
72•bbx•2d ago•47 comments

The Scottish Highlands, the Appalachians, Atlas are the same mountain range

https://vividmaps.com/central-pangean-mountains/
59•lifeisstillgood•3h ago•15 comments

FunctionGemma 270M Model

https://blog.google/technology/developers/functiongemma/
117•mariobm•4h ago•33 comments

1.5 TB of VRAM on Mac Studio – RDMA over Thunderbolt 5

https://www.jeffgeerling.com/blog/2025/15-tb-vram-on-mac-studio-rdma-over-thunderbolt-5
8•rbanffy•39m ago•0 comments

Firefox will have an option to disable all AI features

https://mastodon.social/@firefoxwebdevs/115740500373677782
187•twapi•4h ago•173 comments

TRELLIS.2: state-of-the-art large 3D generative model (4B)

https://github.com/microsoft/TRELLIS.2
50•dvrp•2d ago•10 comments

Show HN: Stop AI scrapers from hammering your self-hosted blog (using porn)

https://github.com/vivienhenz24/fuzzy-canary
86•misterchocolat•2d ago•53 comments

Your job is to deliver code you have proven to work

https://simonwillison.net/2025/Dec/18/code-proven-to-work/
566•simonw•8h ago•481 comments

Meta Segment Anything Model Audio

https://ai.meta.com/samaudio/
110•megaman821•2d ago•14 comments

Oliver Sacks put himself into his case studies – what was the cost?

https://www.newyorker.com/magazine/2025/12/15/oliver-sacks-put-himself-into-his-case-studies-what...
22•barry-cotter•2h ago•61 comments

How to hack Discord, Vercel and more with one easy trick

https://kibty.town/blog/mintlify/
74•todsacerdoti•3h ago•14 comments

I've been writing ring buffers wrong all these years (2016)

https://www.snellman.net/blog/archive/2016-12-13-ring-buffers/
40•flaghacker•2d ago•18 comments

Using TypeScript to obtain one of the rarest license plates

https://www.jack.bio/blog/licenseplate
125•lafond•8h ago•133 comments

AI Vending Machine Was Tricked into Giving Away Everything

https://kottke.org/25/12/this-ai-vending-machine-was-tricked-into-giving-away-everything
17•duggan•1h ago•1 comments

Please just try HTMX

http://pleasejusttryhtmx.com/
393•iNic•8h ago•331 comments

The <time> element should do something

https://nolanlawson.com/2025/12/14/the-time-element-should-actually-do-something/
52•birdculture•2d ago•16 comments

Launch HN: Pulse (YC S24) – Production-grade unstructured document extraction

31•sidmanchkanti21•7h ago•34 comments

The immortality of Microsoft Word

https://theredline.versionstory.com/p/on-the-immortality-of-microsoft-word
33•jpbryan•7h ago•48 comments