Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So this blog post is missing any information about what the actual vulnerabilities were. What was the "gap"? What was the misconfiguration? Also missing is whether access to the host VM exposes meaningful secrets. Does this actually risk customers' sensitive data?


It’s marketing for their other products. A pretty annoying read.


Yeah this was terrible.

First, we did a privilege escalation.

How? They don't say.

Next, we did another privilege escalation.

And how?? They don't say.

what's the point of this


Also no details about what severity the vulnerability was assessed as. For all we know they got a $10 Play Store voucher because the security boundary is the VM, and SQL customers are already paying for the VM and the rest is convenience so they are considered to be hacking themselves here. Reading this was a waste of time.


There's a big fat NDA attached to the reward.


maybe security researchers would be well advised to establish a kind of name and shame culture for this NDA with benefits thing that mainly serves to protect corporate interests.


They skipped all the interesting parts.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: