I would not default to assuming it was his competitors, that sounds like scapegoating to deflect responsibility. What most likely happened is his site was scanned by one of the increasingly sophisticated exploit crawlers (anyone who runs an internet facing site and can view traffic knows what I'm talking about). His site got flagged as vulnerable, the hacker found out it was built like swiss cheese and had fun with it.
It's 100% this. Anyone who's run a website or web app for any length of time in recent years and makes a habit of inspecting their logs will quickly realise that they're being scanned by bots looking for vulnerabilities multiple, or even many, times per day. The search for vulnerabilities is entirely automated and will pick up any domain that has a website or web app attached to it.
One those vulnerabilities are found, the hackers will pounce, and, whilst ransomware is one potential outcome, they might instead do all of the kinds of things GP has described. They don't care what the site is for or what industry you're in.
>One those vulnerabilities are found, the hackers will pounce
...and work to exploit your code to their own benefit. They don't do this just so that they can refund your customers.
Often it's just done for reputation. "We got ahold of their stripe key and refunded everything lol" is hilarious and absolutely on-brand.
I mean, I can see refunding their customers just for the lols.
From the customers' perspective sounds ethical. The product was broken or extremely cheap quality, and not what it seemed to be originally when you decided to purchase... Is this black or white? ;p
> anyone who runs an internet facing site and can view traffic knows what I'm talking about
Most of what I see is looking for very specific vulnerabilities - a very high proportion are looking for hidden files and directories being served (e.g. .git, .env) or specific software (e.g. Wordpress), or similar.
In over 20 years of dealing with many mostly smallish businesses the compromises have been:
1. A client who insisted on using Wordpress for one of their sites (against my advice) because they had people who knew it so it was the cheap option. It was easy to see what would happen because those people were not available long term. 2. A very carefully set up server with a hardened kernel etc. I did not set it up so cannot give all details and neither do I know how it was compromised. It was carefully set up because it was a target for political reasons so I would guess it was a targetted attack.
On the other hand I know there have been many vulnerabilities. There have been many vulnerabilities in the applications - the outstanding examples being creating queries by concatenating user input with SQL (no escaping at all) in multiple places across a small site (years ago), and (recently) finding code that called (python) exec on user input. Many other flaws that have been present for years. Not updating OSes, server software and frameworks for many years is usual.
In spite of all that, just those two compromises. You will probably get away with a high degree of bad code and bad practices in deployment and maintenance with a small site.
Who else would spend the time and effort to figure out you leaked your stipe key to your front end? Sure people have bots to do that, but it’s kinda unbelievable someone would run such a bot on their vibe coded website.
I have a strictly hobby web app that I work on. 6-7 years ago I inadvertently pushed AWS email service credentials to GitHub.
Half an hour after the push I got an email and text from GitHub that I had exposed credentials. I quickly logged in to my AWS to turn off the service, to see that AWS had suspended that service because the bounce rate on the 80000 emails sent in that 15 minute period was too high. It was crazy just how fast it was exploited.
>> It was crazy just how fast it was exploited.
People underestimate the speed, but also the number of pivots that advanced attackers will make. Sure, these kinds of problems are easy to exploit, but with major organizations that employ reasonable defenses, the attackers will pivot through 50+ exploits/machines/layers to get to the target(s). This can take place over weeks or months.
It still doesn't make sense that advanced attackers would go to those lengths in order to... refund the customers.
There are lots of smart kids who don't particularly need reasons for causing mayhem. Suppose it was somebody profit-motivated though. They might be:
1. Distracting from a more important vulnerability
2. Later contacting customers, advising them of the "accidental" refund and redirecting them to a more appropriate payment mechanism (one without the KYC Stripe does, were they to try to steal funds directly)
3. Testing stolen credit cards before using them elsewhere
Etc. Scamming people is a big industry, and not all of the plots are immediately obvious.
Vibe hacking is much older than vibe coding.
Maybe guy's running the chatbot as customer service and user turned hacker to get his money back.
Plenty of hackers do it "for the lolz".
Here's an amusing thing to try on anything with SSH exposed. These log files go back a month.
Interestingly, I have a server that only has IPv6 SSH open to the outside world, and it has exactly zero that aren't me fat-fingering a password. It does have an externally visible hostname, which says to me that the bots aren't looking at hostnames for SSH, just IP(v4) addresses.
Meanwhile on my publicly available Oracle VPS...
I'm wondering what 'seekcy' is. Possibly a Chinese security product?
Googling it points to a Chinese IoT company, so I am thinking maybe they have some IoT software with known vulnerability where they have seekcy as the ssh username that is being actively scanned for.
> 118 pi
I wonder why this features so low in the list. The default user:pass combo for Raspbian/Raspberry Pi OS is pi:raspberry
https://forums.raspberrypi.com/viewtopic.php?t=151745
was pi: raspberry, but it was changed a long time ago to have no default user:pass
Wouldn't say it is low if it is within the top 20 amongst other very popular services.
I'm surprised there is no root there? In my experience this is by far the most common.
I'm almost certain SSH does not allow root login by default.
Yes, and it is disabled on my servers and I'm glad for this, because it still seams to be the most common in my logs.
> It was crazy just how fast it was exploited.
The internet is a wild place in any aspect of it. You should try spinning up a random virtual private server on any cloud provider, plug in a public IP address,and listen to traffic. Sometimes it takes seconds to get your first traffic from vulnerability scanners.
This 100%. I'm in a space with developers and customers deploying web servers for the first time. This traffic freaks them out.
Basically a simple server listening on a port will experience hundreds of random script-probing attacks per day. And if any of them show the slightest hint of succeeding then that escalates quickly to thousands per minute.
You don't need a DNS entry to "expose" the IP address (there are only 4 billion). Moving to another port reduces, but doesn't eliminate the traffic.
Telling people this freaks them out. But as long as the server is done well its just noise.
Yesterday it was 4 seconds from a LE cert -> scans for .env and other low hanging info leak/vulnerabilities from at least 4 different scanners.
There are groups out there just looking at the certificate transparency logs to get the newly added certs to scan.
Yeah, one of the reasons why I started to for all my dev side projects to be under a single wildcard subdomain, because I used to create new certs automatically with letsencrypt and everytime this spam happened. If I do things right it shouldn't matter, but I still feel better with the wildcard if I was to make a mistake...
Short related story: some customer wanted an API with a basic firewall, they said they don't need filter rules as it won't be used or something. I put a dumb API online (doing nothing) and showed them the request logs after one day. They approved the filter rules immediately.
Years ago back in 2001, I had a /29 giving my 5 real IP addresses from my ISP.
Back then, I mostly only ran Linux, but for some reason, I needed to run something on a Windows machine, so started installing Windows 98 SE onto a machine, and set it up with a public IP address without even thinking about it. It crashed before it'd even finished installing [0], and investigation showed that it'd been whacked by an automated RCE exploit scanner.
I immediately decided it was never worth the risk of putting a Windows machine on a public IP, and set up a NAT even though I had 3 spare public IPs.
[0] There was already a published update to protect against this exploit, but I was scanned and hacked between the base install exposing the bug and the automatic update patching it.
Yeah, I recall Windows sysadmins pulling out the LAN cable at bootup, installing updates via floppy disks and reconnecting the LAN cable.
Github repositories have statistics about access. Anyone can test this.
Create a new Github repo, within minutes there's someone (or something) poking around it.
Similarly if you post any credentials, they'll either get nabbed and used or a friendly scanner service will notify you about it and will tell you exactly where the credential is if you make an account in their service.
I think common people also underestimate how fast a computer really is nowadays, because they only know bloated MS Windows machines.
Why is it unbelievable? There is an entire industry of people trying to find vulnerable niche applications like this. There are bots which crawl the web, not to make an index, but just to find vulnerabilities. Nobody necessarily even had to 'point' anything at this at all, it just shows up on their dashboard one day and they get to dig in.
I would not be surprised if Shodan.io ends up with queries for easily identifiable markers of vibe-coded software.
> There are bots which crawl the web, not to make an index, but just to find vulnerabilities.
You can download a few of them out of GitHub and run them immediately, too.
I was being facetious. Yes, there are millions of bots that are constantly searching every website for leaked keys, passwords, database credentials, crypto wallets, firebase endpoints, s3 buckets, email addresses, phone numbers, etc. the list is bottomless
Yep. We once had left a socks proxy unprotected on a public IP, no cert, just a random IP and a fixed port. At one day the service stopped working. When looking into it, the network was overloaded with random IPs from all over the world surfing on the free proxy.
> Who else would spend the time and effort to figure out you leaked your stipe key to your front end?
In high school in the early 2000’s, I ran a small Apache server from my home that was basically Geocities but even less discoverable - I used it to learn PHP, SQL, and frontend. One day my log started filling rapidly as someone effectively ddos’d my home server. If they’d bothered to actually poke, they likely would’ve been able to exploit it relatively quickly even without all of today’s tools. I imagine the process of discovery and exploitation is magnitudes more impressive and performant today.
> Who else would spend the time and effort to figure out you leaked your stipe key to your front end? Sure people have bots to do that, but it’s kinda unbelievable someone would run such a bot on their vibe coded website.
I could offer some anecdata as a counterargument but I'm a bit ashamed about how it happened so I'll just say, you friend was lucky it only ended at that.
I've seen it happen - a key was leaked in a stacktrace somewhere and it took a scraper a couple of days to find it. Stripe helpfully prefixes their keys with sk_prod_ so you can completely automate something to iterate over every IPv4 address and see if something in the output matches.
You don't scan just a single website, you code up the bot once and then scan every site you can find.
Your friends' service was just the proverbial paper car in a thunderstorm: the thunderstorm doesn't care about the paper car but destroys it just the same.
My website has a "public" directory for things I wanted to be publicly accessible, but there's an index.html there so you can't trivially discover what files are there.
I was mirroring this to another machine, and I'd foolishly already configured haproxy to serve from either machine. In the 10 minutes (guesstimate) between starting to populate the directory and closing off access, I had one bot scrape every single file in there. What was worse was that it'd cached the index, and continued scraping these files from the other backend too, so I had to shut off access to that directory on the live server as well as the backup.
Whilst technically, all of these files were "public" because I wanted to share them, some of them weren't publicly linked to (things like my CV etc) which I'd rather hadn't been scraped by some random bot (that of course, didn't identify itself or respect robots.txt).
Nah, that's table stakes for a public facing website.
The thing about bots is that it costs almost nothing to run them against millions of sites every day. It's got nothing with "but what are the odds?!", at large enough scale, unlikely things happen all the time.
Shame on this dude.
Oh you sweet summer child.
It's def a hacker from a the incumbent because:
1) They took action after getting the Stripe key by refunding all customers
2) They drafted an email to all customers after a hack that got the mailing list and API route to send emails
3) Not once has the hacker asked for compensation of any kind nor a ransom
Not sure how to word this, but are you "new" on the internet? People used to break stuff "for the lulz" since the dawn of time.
I remember when I was a kid running a tiny forum with phpbb or something, and some script kiddies from g00nsquad (can't remember exact spelling, but something like that) defaced it. They didn't ask for money, they just did it for fun.
Sure things have changed now and the internet has become more corporate, but I reckon there are still people out there doing this stuff l because they can.
> Sure things have changed now and the internet has become more corporate, but I reckon there are still people out there doing this stuff l because they can.
I recall a while back there was a story here about a recipe app that used LLMs to generate recipes. It didn't took long before posters started showcasing recipes they tricked the LLM to generate, involving ingredients such as cyanide and computer chips.
The pull is always there.
My understanding has always been that most hackers do it for the fun/challenge/sport of it and it's only a small fraction who are in it for the money.
Breaking things is just fun for them and the internet is their video game.
Also the vibe I am getting from places like reddit/etc... is that it's currently open season on vibe coded apps. Lot's of internet points to be had for destroying them.
Breaking things is fun. Effectively stealing money (the refunds) is highly illegal, immoral, and malicious. Who knows who did it, but that aspect is just dickhead territory.
I wouldn't call that stealing. It is a forced refund. A hacker could even justify it to himself that these people were unknowingly paying for a shitty product that was built like Swiss cheese, time to give them a refund. Another plausible one is "this guy shouldn't be allowed to run a website, I can't believe he made money for it, it is going back".
I am not saying it is the most likely case or even ethically justified but it is definitely not a super unlikely one. Anyone who thinks that's an impossible scenario has not been in the hacker's shoes.
> I wouldn't call that stealing. It is a forced refund.
If someone took money out of your pocket would you call it stealing? What if they gave it to someone else, like a past employer or your parents or a humanitarian organization?
By the way, you should check a dictionary. The definition of "stealing" is literally taking something away without permission.
Being in the possession of a password or key implies having permission to use that key. When generating a key you give everyone with access to that key the permission to use it to perform actions on your account.
Protect your keys.
> Being in the possession of a password or key implies having permission to use that key.
No, it doesn't.
Yes, it does.
> Being in the possession of a password or key implies having permission to use that key
So if I get your house key I can use your bathroom?
Seriously, what hill are you trying to die on here?
Depends - did I hand it out at the street corner?
Nah, you left it under your door mat.
Would insurance cover that?
Does it matter?
Yes.
Refund or chargeback? The processing fees for a chargeback on every transaction could put him out of business.
He's lucky they didn't find a way to use it for card washing.
It would have had to be refund. The hacker could t initiate a chargeback from knowing the merchant's stripe keys. Seriously doubt it was a competitor. The risks of hiring someone to commit felons against your competitors just isn't worth it. Especially since the vibe coder seems to be bungling things on their own just fine.
How about you pay more attention to the story? It's not Visa/MasterCard or the customers that got hacked.
> I wouldn't call that stealing. It is a forced refund.
Respectfully, what the hell are you talking about?
Imagine you work 40 hours making an app and I pay you for those 40 hours. A third party comes in and says, I'm forcing a refund here - you lose the money you made, but you get the app you made.
How do you feel about this forced refund?
>I wouldn't call that stealing. It is a forced refund.
Can you name an instance of stealing that could not be described as a forced refund?
I don't see how any of that implies that an incumbent did it.
If you were a criminal trolling the Internet for vulnerable servers and found stripe keys... would your first instinct be to refund customers rather than do some other sort of crime? Like what's the motivation you envision here?
"Because I can" or "Because it's funny" are more than enough reason for most people. The fact that the hacker refunded all the customers, then emailed them to warn them that they were using a terrible app actually sounds like a pretty tame troll to me. If the hacker was truly hired by the competition to act maliciously, they could have done far, far worse.
Your friend should take this as a lesson instead of trying to deflect blame to their competitors.
> Because it's funny
I think you mean “for the lulz”
There are black hat hackers that take great joy in just causing as much chaos as possible, particularly with such vibe-coded apps. Even with stripe keys, it's not like they could direct money elsewhere.
Maybe a blackhat hacker decided that the software was so shoddily built that the company didn't deserve to continue existing, and decided to try to make that happen as a sort of vigilante justice against crappy vibe-coded apps.
Definitely not a good idea but it's not an unreasonable motivation.
Some people just want to watch the world burn :shrugs:
Fun and internet points!
[dead]
what was in this email though?
Hey all I’m an independent security researcher and I found that you are paying for an app that is shoddily built and doesn’t respect your privacy or security so I decided to give you all a refund. Have a nice day!
Telling customers it was built with AI and insecure.
Please don't consider becoming a judge. Also, try re-reading what you wrote a few times.