How to pwn a billion dollar VC firm using inspect element

When we released our open-source project[1], this hacker (Eva) pentested our project pretty extensively and was very professional in their disclosures. They didn't even ask for a bounty since we didn't have a program back then!

Eva is an incredibly gifted hacker and a responsible one, a16z should treat them better.

[1]: https://github.com/heyPuter/puter/

I made a similar mistake actually.

We used a nodejs cms called apostrophecms that had an admin panel called global settings.

We used that for managing api keys to our auth server.

We only found out a few months in that it was outputted in the html source code. They did this so it was available to JS, of course it was in their docs. So not blaming them. We glossed over it.

Annoyingly we paid a reasonable amount of money for a pen test with one of the big consultancy companies but they also didn’t see it.

I ended up finding it and checking the logs seems like it wasn’t abused but it was shocking and a big leak

When I create a new service and add LetsEncrypt cert to server via ACME. I immediately see logs filled with junk, obviously bots searching for shitty defaults that devs might leave open. I have even seen requests for the process env file lol.

How was such vuln not found and abused in this case? a16z is very lucky or maybe it was abused and not disclosed. Researcher or bored person with a kind heart/white hat hacker mindset is the first to reach out.

a16z should be fined heavily unfortunately there is no legal framework for this type of negligence

> a16z did not give me any bug bounty on this because of the fact i publicly reached out instead of trying to reach out privately. the only reason i did it this way was because there was no available contact on their main site and the email i could find engineering@a16z.com bounced my emails

That's a clever lifehack to save your company money, by not having any way to privately contact engineering all bug bounties will have to be reported publicly which means you don't need to pay anything.

when companies say they are “hacked”, it’s now a corporate term for “we were negligent in securing important credentials, but please shift blame to this no-name entity we called a ‘hacker’”

Pretty shitty to not even give a token amount bounty for such a broad hole

they are busy writing a giant "architecture of generative AI" whitepaper. give them a pause, they are dreaming a future agentic world of half-assed chatbots.

while the world burns with botched software updates.

If you could actually access their Salesforce instance, that would be very nerve wracking for founders, since usually Salesforce, etc, logs emails which may continue unannounced fundraising plans or M&A plans that haven’t been shared externally by portfolio company founders.

The fact that this VC firm didn't provide bug bounty for such a gaping hole does not instill trust.

The HN mods changed the title to a less embarrassing one. Not surprised

Sincere question: how do you actually make this mistake while having the skills to build a web app of this complexity level? All the frontend and full stack frameworks that I’m familiar with try pretty hard to stop you.

Maybe they should have installed CrowdStrike

> a16z did not give me any bug bounty on this because of the fact i publicly reached out instead of trying to reach out privately.

I just don't understand this petty attitude. This almost guarantees next time somebody that finds vulnerability with a16z or any of its companies to seek black market rewards that will do far more damage.

This is just like when KakaoTalk refused to payout bug bounty because you had to be a Korean citizen which ended up causing more vulnerabilities to be discovered in the wild.

Companies and billionaires reading this, please don't be petty like Andreesen. Guy went from a leader to a borderline security fraud artist. You don't want to be earning more ire from the public in the current political climate. It's dangerous.

Why does this read like a 9 year old TikToker wrote it? This reads like some little script kiddie who runs fuzzing tools (and can't make any of their own) ranting online unprofessionally.

I agree that the bounty outcome is unfair.

Hopefully Martin Casado or one of the other awesome open source folks from a16z will take a look at this and make the person whole!

From the techcrunch article:

> “On June 30th, a16z addressed a misconfiguration in a web app that is used for the specific use case of updating publicly available information on our website such as company logos and social media profiles. The issue was resolved quickly and no sensitive data was compromised,”

What the fuck is this? They are blatantly lying here. There was a lot of sensitive data compromised. Anyone who inspected the site could have had access to everyones emails.

Neko!

https://en.wikipedia.org/wiki/Neko_%28software%29

The Wikipedia article is missing the implementation in the article. Too bad they don't pay bounties.

   ^ ^
   0 -
    *
    -

It's really hard to generate "all due respect" for a16z.

Question to the community. I managed to expose all customer data of a well-funded D2C brand and when I reached out to them I did not ask for bounty before I shared the fix/the security hole. I only got a 200 USD gift card for their shop :D

What is best practice here? Do you first tell the company that they have a security issue, ask for bounty and then help? Is that unethical? Blackmail?

> i publicly reached out

Means what exactly? What information did your public reach-out include?

EDIT:

Ah, I think it's a tweet that said:

> someone from @a16z get in touch, now. its bad. security related.

Lol, ok. I guess they don't want anyone to know they had a security vuln. I wonder if they make you sign an NDA too when you get the bounty.

Stuff like this is what gives the entire security and white hat community a bad name.

1. "Surprise pentests" are illegal in the US and pretty much every jurisdiction in the world. If you are actively breaking into websites without a prior agreement, you are not doing anyone a favor. Save your efforts for companies that actually want you.

2. If the company doesn't have a published bug bounty program, they don't owe you anything. Yes they can still be nice and pay you, but they definitely won't if you disclose the vulnerability to the rest of the world without giving them a heads up and enough time to fix it.

3. "Oh I couldn't find an email address" is the worst excuse in the world. I found one after exactly 5 seconds of Googling (at the bottom of https://a16z.com/connect). And even otherwise there's Twitter, Instagram, LinkedIn and a hundred other ways to reach someone at the company if you really want to.

This is classic case of clout chasing over responsible disclosure.

That's what security.txt is there for. They don't even have a robots.txt file.

Too much javascript for everything (front & back) seems easy but for new developers it kind of blurs the lines between what should be on the server vs the client.

even web3 could protect a16z ugh, thats very bad

Crypto bullshit - a16z pipeline is a great reflection of a16z as a firm.

    >a16z did not give me any bug bounty on this because of the fact i publicly reached out instead of trying to reach out privately. the only reason i did it this way was because:
    >    there was no available contact on their main site
    >    the email i could find engineering@a16z.com bounced my emails

The age-old practice of screwing over security researchers over any possible technicality is still alive and well. Brings tears to my eyes.

It's pretty shocking how many commenters are blaming the individual for not "trying harder" to find contact information. It's pretty clear a16z didn't want to pay anything or appreciate the disclosure at all.

Finding random email addresses and sending them a notice would have gone no where other than spam folders. I get dozens of "disclosures" every week from mostly script kiddies that think my DKIM setting is somehow going to be the end of my business. My brain automatically ignores emails like it.

I like lower case tweets and texts but lower case in articles like this is just ridiculous (and trying too hard to be cool)

how do I disable the cat following my cursor animation on your website? how insanely distracting

Wait, do hackers feel entitled to money for finding security holes, even if there was never any signal of such reward?

Isn't it fairly easy to get an address like marca's? I'm sure anyone who is responsible for the place would make the connection to IT security.

I'm surprised he didn't try harder to contact someone in the company privately.

Surely any contact would have sufficed to at least try to get an introduction to their security team?

If you browse their website there are loads of email addresses for various offices and divisions.