New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Maybe
hostsshould preemptively hack their own website before crackers of unknown affiliation did.I got the email too, wow
I would like to add that I've already reported two security vulnerabilities to Breeze in the past,
One allowed me to edit the firewall for any other cosmicguard IP they control due to an endpoint that lacked proper input validation.
Another one allowed me full access to their administrative panel (so potential access to all client information), again due to improper input validation/row level security rule on their new ClientHQ dashboard.
I did catch both of these before anyone else was able to exploit it, and reported it to them which they promptly fixed. I kept the findings quiet to give them benefit of the doubt.
But here we are again, an improper SPF record leading to email impersonation. Breeze, y'all really gotta change up how you handle security.
All,
Wanted to reach out let everyone know we are handling with the upmost importance. We just released an update on the status portal at https://status.breezehost.io - this is where all updates will be posted. Please stay subscribed on there for up to date information. I understand that there will be a lot of questions about why and how and what, all of which will be provided in due time. Although I will say we use stripe, and we cannot see your card information. Your financial info is secure. If you are worried about your services, I would always recommend changing your passwords (as you should every so often anyways for proper password management) or utilize SSH key auth.
For everyones viewing, below is the latest update that was sent out a little over 10 mins ago:
We are writing to sincerely apologize for an inappropriate and unauthorized email that was sent earlier today from our mailing system.
We have identified that a malicious third party gained access to our mass mailer and used it to send a vulgar message. We understand how unprofessional and concerning this was, and we take full responsibility for the incident.
We want to clearly reassure you that at no time was your payment or financial data compromised.
We do not store credit card information in our systems. All payment details are handled securely and exclusively by our third-party payment processors, and no payment data was accessible through the affected system.
Upon discovery, we immediately secured the mailer, patched the exploited vulnerability, and began a full review of system access and logs.
We are also carefully combing through relevant data and configurations to ensure the continued integrity and security of our environment.
We deeply regret this incident and the inconvenience or discomfort it may have caused. Maintaining your trust is extremely important to us, and we are taking additional steps to further harden our systems and prevent anything like this from happening again.
If you have any questions or concerns, please do not hesitate to contact our support team.
Thank you for your understanding and continued trust.
can we get a response from the vp of security? i assume vp of growth is a marketing position and i don't really trust marketing guys.
@jonbeard Are you using Vercel for hosting your website?
All round Protection!
The night is yours! Enjoy!
We dont have Telegram. It looks to be a product review page. I looked this up and managed to find the message you screenshotted was from but it was from October 12, 2021 but still funny nonetheless. I dont sell diapers lol
I am on the sales side, and we use LET for Sales. Trying to share information here so customers that are on here (and all other members of the community) are able to be updated.
All status updates will be posted and emails will be sent to clients once the investigation is done and relevant parties contacted.
Thanks! The clarification was most timely.
Was at the checkout page already, ordering annual subscription.
There is none. 1-man army.
I checked their client panel and it also uses the same supabase backend that was used to show the nsfw notification on the homepage
Ah, that's what it stands for. KILL NEXT.JS!
Holy shit, they have that trivial of an XSS? That's just sad.
I didn’t check it since the chat was disabled, but they appear to have several very basic security issues due to insecure use of Supabase. It looked like they had an external pentester working on it, so I assume it will be fixed.
(I haven’t tested whether the obvious vulnerabilities could be exploited, since I don’t have permission. I’ve only looked at the JavaScript and run a few curl requests.)
Well, you guys should kill Supabase instead.
It uses PostgREST with Schema Cache Suggestions enabled, so if a hacker sends a select=* request to a non-existing API endpoint (table), PostgREST returns a “Perhaps you meant the table public.actual_table_name” error message. This allows a hacker to map database table names by guessing.
If a bad programmer is also a little too generous with permissions (public API endpoints), the database can leak all kinds of sensitive data. In really bad cases, the database can even be manipulated directly using simple tools like curl (SQLi).
I can’t see why Next.js should be blamed for this.
(I guess this is how their website got hacked, because there are issues along these lines.)
That's actually clever... To milk out API for structure. Holy shit, mind should be pretty twisted to think about such way to pull out payload.
All Supabase instances do by default. The whole schema can be leaked by calling
/rest/v1/on the Supabase instance.See: https://api.breezehost.io/rest/v1/
Glad I'm old school and write my own database never heard of Supabase
about to bus? so
7$ for the company and servers u will sell? @Breezehost
Two days later and I'm still laughing. When you want to kill someone but too liberal and afraid of hurting peoples feelings. What a bunch of P****S.
It's quite clearly Paymenter.
wrong forum
@emgh what did you do?!
Goon to gay nudes
Allegedly Goon to gay nudes*
Ok i admit i did it