• NeilBrü@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    29 天前

    I’m certainly no web security expert, but shouldn’t Tea’s junior network/backend/security developers, let alone seniors, know how to secure said Firebase or S3 buckets with STARTTLS or SSL certificates? Shouldn’t a company like this have some sort of compliance department?

    • gian
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      2
      ·
      29 天前

      I am not sure, but I read somewhere that the developer(s) used vibe coding to create the app so…

      • Canaconda@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        28 天前

        A lot of people have speculated that.

        According to their statement their code was written in Feb/2024 and predates “vibe coding”

        • gian
          link
          fedilink
          English
          arrow-up
          1
          ·
          27 天前

          What intrigue me is this:

          I’m confident vibe coding was not to blame in this particular case,

          So they used vibe coding, they are only saying that they think/hope that it is not the cause of the break (and maybe also of the second one)

          And if vvibe coding is not caused then they are even more incompetent.

    • GissaMittJobb@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      28 天前

      SSL is not the tool you need in this case, although you should obviously already be running exclusively on encrypted traffic.

      The problem here is one of access rights - you should not make files default-available for anyone that can figure out the file name to the particular file in the bucket. At the very least, you need to be using signed URLs with a reasonably short expiration, and default all other access to be blocked.

      • NeilBrü@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        28 天前

        As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.

        Is it really just permission rights “over-exposure” issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?

        Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?