TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

50% Positive

Analyzed from 1081 words in the discussion.

Trending Topics

#security#vercel#https#com#status#theo#should#company#users#php

Discussion (86 Comments)Read Original on HackerNews

toddmoreyabout 1 hour ago
I've been part of a response team on a security incident and I really feel for them. However, this initial communication is terrible.

Something happened, we won't say what, but it was severe enough to notify law enforcement. What floors me is the only actionable advice is to "review environment variables". What should a customer even do with that advice? Make sure the variable are still there? How would you know if any of them were exposed or leaked?

The advice should be to IMMEDIATELY rotate all passwords, access tokens, and any sensitive information shared with Vercel. And then begin to audit access logs, customer data, etc, for unusual activity.

The only reason to dramatically overpay for the hosting resources they provide is because you expect them to expertly manage security and stability.

I know there is a huge fog of uncertainly in the early stages of an incident, but it spooks me how intentionally vague they seem to be here about what happened and who has been impacted.

rybosome2 minutes ago
Completely agreed. At minimum they should be advising secret rotation.

The only possibility for that not being a reasonable starting point is if they think the malicious actors still have access and will just exfiltrate rotated secrets as well. Otherwise this is deflection in an attempt to salvage credibility.

birdsongsabout 1 hour ago
Seriously. Why am I reading about this here and not via an email? I've been a paying customer for over a year now. My online news aggregator informs me before the actual company itself does?
shimman42 minutes ago
Please remember that this is the same company that couldn't figure out how to authorize 3rd party middleware and had, with what should be a company ending, critical vulnerability .

Oh and the owner likes to proudly remind people about his work on Google AMP, a product that has done major damage to the open web.

This is who they are: a bunch of incompetent engineers that play with pension funds + gulf money.

0xmattfabout 1 hour ago
> The only reason to dramatically overpay for the hosting resources they provide is because you expect them to expertly manage security and stability.

This and because it's so convenient to click some buttons and have your application running. I've stopped being lazy, though. Moved everything from Render to linode. I was paying render $50+/month. Now I'm paying $3-5.

I would never use one of those hosting providers again.

nightski2 minutes ago
Looking at linode, those prices get you an instance with 1Gb of ram and a mediocre CPU. So you are running all of your applications on that?
jtreminioabout 3 hours ago
I'm on a macbook pro, Google Chrome 147.0.7727.56.

Clicking the Vercel logo at the top left of the page hard crashes my Chrome app. Like, immediate crash.

What an interesting bug.

farnulfoabout 3 hours ago
Same hard crash on Chrome Windows 11
itaintmagicabout 3 hours ago
Do you have a chrome://crashes/ entry ?
MattIPv4about 3 hours ago
Related: https://news.ycombinator.com/item?id=47824426

https://x.com/theo/status/2045862972342313374

> I have reason to believe this is credible.

https://x.com/theo/status/2045870216555499636

> Env vars marked as sensitive are safe. Ones NOT marked as sensitive should be rolled out of precaution

https://x.com/theo/status/2045871215705747965

> Everything I know about this hack suggests it could happen to any host

https://x.com/DiffeKey/status/2045813085408051670

> Vercel has reportedly been breached by ShinyHunters.

nike-17about 1 hour ago
Incidents like this are a good reminder of how concentrated our single points of failure have become in the modern web ecosystem. I appreciate the transparency in their disclosure so far, but it definitely makes you re-evaluate the risk profile of leaning entirely on fully managed PaaS solutions.
swingboyabout 1 hour ago
Is this one of those situations where _a lot_ of customers are affected and the “subset” are just the bigger ones they can’t afford to lose?
toddmoreyabout 1 hour ago
Conjecture, but the wording "limited subset" rarely turns out to be good news. Usually a provider will say "less than 1% of our users" or some specific number when they can to ease concerns. My guess is they don't have the visibility or they don't like the number.

I feel for the team; security incidents suck. I know they are working hard, I hope they start to communicate more openly and transparently.

loloquwowndueoabout 1 hour ago
“Less than 1% of our users” means 10k affected users if you have 1 million users. 10k victims is a lot! Imagine “air travel is safe, only a subset of 1% of travellers die”
arabssonabout 1 hour ago
So, the Vercel post says a number of customers were impacted, but not everyone, and they will contact the people that were impacted. I wasn't contacted so does that mean I'm safe?
jtokophabout 1 hour ago
This announcement in its current form is quite useless and not actionable. As least people won’t be able to say “why didn’t you say something sooner?” They said _something_
OsrsNeedsf2Pabout 3 hours ago
The lack of details makes me wonder how large this "subset" of users really is
neomabout 3 hours ago
https://x.com/theo/status/2045871215705747965 - "Everything I know about this hack suggests it could happen to any host"

He also suggests in another post that Linear and GitHub could also be pwned?

Either way, hugops to all the SRE/DevOps out there, seems like it's going to be a busy Sunday for many.

embedding-shapeabout 3 hours ago
Based on what, "feels like it"? Claiming that Cloudflare is affected by the same hack has to come from somewhere, but where is that coming from?
gruezabout 3 hours ago
from his "sources".

> Here’s what I’ve managed to get from my sources:

>3. The method of compromise was likely used to hit multiple companies other than Vercel.

https://x.com/theo/status/2045870216555499636

To be fair journalists often do this too, eg. "[company] was breached, people within the company claim"

rvzabout 3 hours ago
I do remember that OpenAI did use Vercel a year ago. They might have likely moved off of it to something better.
adithyasrinabout 2 hours ago
We run on Vercel and I wonder if / how long before we're alerted about a leak. Quick look online suggests environment variables marked as sensitive are ok, but to which extent I wonder.
_pukabout 1 hour ago
Hmmm, the dashboard 404 I got 6 hours ago now makes a bit more sense..
Advertisement
sreekanth850about 2 hours ago
Too much of uncontrolled vibecoding?
steve1977about 2 hours ago
While I would agree, unfortunately with JavaScript vibecoding is not even necessary to run into issues.
LunaSeaabout 2 hours ago
Because Flash apps were so safe.
scrollawayabout 1 hour ago
Windows 95 was peak security. (/s)
gnerayabout 3 hours ago
Oy vey: https://x.com/theo/status/2045862972342313374?s=46
nothinkjustaiabout 1 hour ago
Looks like their rampant vibe coding is starting to catch up to them. Expect to see many pre vulns like this in the future.
ofabioromaabout 3 hours ago
Time to ipo
lukewarm707about 3 hours ago
"a security incident that involved unauthorized access to certain internal Vercel systems."

could they be a little more specific?

0xyabout 3 hours ago
This is why you pay a real provider for serious business needs, not an AWS reseller. Next.js is a fundamentally insecure framework, as server components are an anti-pattern full of magic leading to stuff like the below. Given their standards for framework security, it's not hard to believe their business' control plane is just as insecure (and probably built using the same insecure framework).

Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically.

https://aws.amazon.com/security/security-bulletins/rss/aws-2...

embedding-shapeabout 3 hours ago
> Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically.

Wasn't unheard of back in the day, that you leaked things via PHP templates, like serializing and adding the whole user object including private details in a Twig template or whatever, it just happened the other way around kind of. This was before a fat frontend and thin backend was the prevalent architecture, many built their "frontends" from templates with just sprinkles of JavaScript back then.

rvzabout 3 hours ago
There is no serious reason to use Vercel, other than for those being locked into the NextJs ecosystem and demo projects.
mikert89about 3 hours ago
Much as I want to rip on vercel, its clear that ai is going to lead to mass security breaches. The attack surface is so large, and ai agents are working around the clock. This is a new normal. Open source software is going to change, companies wont be running random repos off github anymore
lijokabout 3 hours ago
ShinyHunters are a phishing group. What does this have to do with AI agents?
mikert89about 3 hours ago
Run ai agents around the clock to do hyper targeted fishing