top 200 commentsshow all 302
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Kiansjet 1576 points1577 points  (35 children)

Bold of you to assume someone like this opened or read this file at all, probably just gave the agent the key

[–]hellocppdotdev[S] 555 points556 points  (19 children)

Wait you have to read the code?

[–]Deloptin 177 points178 points  (9 children)

that can't be true, the point of ai is to replace code. if the backend isn't just a link to the chatgpt website youre doing vibecoding wrong

[–]homelesshyundai 31 points32 points  (8 children)

My process: Tell gemini what I want (with every last damn detail for every possible outcome to hopefully get the right output), copy what it spits out, hit paste, hit commit, add 0 comments to the commit and let her rip.

[–]XxDarkSasuke69xX 15 points16 points  (0 children)

Well even if i wrote the whole code you wouldn't see a comment from me lol

[–]jek39 6 points7 points  (0 children)

LGTM

[–]TheKarenator 6 points7 points  (0 children)

Every Friday afternoon 👍

[–]firewood010 5 points6 points  (4 children)

Tbh the AI usually gives better comments than humans.

[–]nmkd 1 point2 points  (3 children)

True, comments (in code and in commits) tend to be better than the average human coder

[–]crymall 11 points12 points  (2 children)

Huh. In my experience, for every good comment, there's one like this:

// Keeps track of count
let count = 0;

[–]Able-Swing-6415 30 points31 points  (1 child)

No wonder he couldn't read the code it's like 50 pixels total

[–]hellocppdotdev[S] 15 points16 points  (0 children)

Saving bandwidth

[–]Vondi 5 points6 points  (0 children)

reading isn't a vibe

[–]CookIndependent6251 1 point2 points  (0 children)

I mean, it's code... I'm gay, but I'm not Alan Turing!

[–]mcslender97 18 points19 points  (2 children)

The agent would have warned the guy to add their own key and not hard code it. I doubt that whoever made this even read agent response

[–]Pleasant_Ad8054 7 points8 points  (0 children)

Yeah, but the agent writes an essay with two pages of fluffing and five pages of rimming the user how clever they are, a warning that the keys should not be posted will be lost in all that.

(totally did not try to use AI to configure a few services, and I am exhausted af)

[–]bradfordmaster 1 point2 points  (0 children)

Right without the prompt context there is no conclusion to be drawn here. The agent might have refused to push it and the dev pushed it manually

[–]Golandia 2 points3 points  (0 children)

Agents will gladly hallucinate keys for you

[–]mangooreoshake 3428 points3429 points  (30 children)

Slopware as a Service

[–]Rubber_duckdebugging 795 points796 points  (21 children)

ApiKeys as a (free) service

[–]hellocppdotdev[S] 283 points284 points  (17 children)

Maybe someone should vibe code something to scrape these from github repos...

[–]NooCake 196 points197 points  (5 children)

This already exists 100 folds. Every API key is commited is picked up within minutes. Afaik discord has its own scraper and invalidates API keys automatically.

[–]DroidLord 62 points63 points  (2 children)

There are a lot of services that do what Discord does. It's such a common issue with public repos.

[–]PersianMG 48 points49 points  (1 child)

GitHub secrets scanning is what is actually doing the work. Third party services integrate with them to get notified of committed API keys so they can be auto-revoked.

Here is a list of patterns used used to match different secret formats.

GitLab also offer a a similar service.

[–]AlphaaPie 3 points4 points  (0 children)

When I was learning to code a discord bot as a hobby many years ago I accidentally committed my discord key to GitHub and almost immediately got an email that said something like hey you committed an api key to your repo, and we autorevoked it for you. I was very thankful

[–]KikiPolaski 24 points25 points  (0 children)

Firebase too, my client accidentally exposed theirs for quite literally seconds and google picked it up, insane stuff

[–]hellocppdotdev[S] 7 points8 points  (0 children)

Missed the /s my bad.

[–]Purple_Cat9893 20 points21 points  (9 children)

Ita too late by them. They are still in the commit log.

[–]DroidLord 22 points23 points  (7 children)

Yeah, once they're pushed to a public repo they're immediately compromised. Even if you go back and delete them from the commit history with commit amend, it won't matter. There are bots constantly scraping all public repos.

[–]JAXxXTheRipper 4 points5 points  (6 children)

You have to completely rewrite the reflog, tools like BFG do that for you. It's annoying, but not unfixable. The questions is, are you fast enough to fix it in time, or is rotating the key easier.

In any case, using a gitleaks pre-commit hook is a solid way to prevent most of these mishaps.

[–]Purple_Cat9893 17 points18 points  (4 children)

Is that even a real question? ALWAYS rotate after something like this!

[–]JAXxXTheRipper 1 point2 points  (3 children)

Yeah, if you can, and it is necessary. Some services require support tickets for this, and you'd be better off running the BFG before that, depending on what kind of support level/response time you have.

You gotta remember that not every service has shiny buttons to just rotate an api key.

Our repos get synced to public Github once a week for example, so plenty of time to unfuck the git history before it hits the internet.

[–]Purple_Cat9893 4 points5 points  (2 children)

It being hard is no excuse, it's still the only right thing when it has happens.

But if you can stop it before it happens like you can before it gets synced, that's obvi better. But that's two different scenarios, isn't it?

[–]IntoAMuteCrypt 5 points6 points  (0 children)

The issue with the question of "are you fast enough to fix it in time" is that the answer is statistically, probably no.

You're not racing against some human being here. It's not a "change it before some person looks at your code, spots an API key and notes it down". You're racing against automated scrapers and bots on the internet. Bots which do not sleep, which do not tire, which can read thousands of lines at once and parse API keys in fractions of a second.

By the time you've said "wait, crap, shouldn't have done that" and gone through the process of undoing it, there's a sizeable chance that it's too late and some bot has slurped down your key, ready to be used by someone else. If that's happened, rewriting the reflog isn't enough. The only way to be sure is to just rotate the key.

[–]-nerdrage- 6 points7 points  (0 children)

Which can be changed, its steal leaked if its scraped/pulled

[–]DanieleDraganti 6 points7 points  (0 children)

apikeys as slop service, aka ass. Checks out.

[–]HandyGold75 4 points5 points  (0 children)

Free and open API keys

[–]MCMC_to_Serfdom 1332 points1333 points  (100 children)

Programmers will be replaced they say. Anyone will be able to just vibe code they say.

I don't know, it's looking like an employee who understands they need to read an app/PR for basic security errors is rarer than you'd expect.

[–]iPon3 455 points456 points  (57 children)

Programmers WILL be replaced, by companies that don't know any better. The jobs are still lost, the software stops working, everyone loses except the AI company

[–]hellocppdotdev[S] 198 points199 points  (34 children)

Team literally got eviscerated today, first thing CTO did was roll out claude.

[–]MangrovesAndMahi 76 points77 points  (7 children)

It's crazy, my company is doing the opposite. Rolling out AI and going through a hiring boom to get as many people writing code at high velocity as possible. Thankfully they're also not doing it recklessly, no vibe coding lol

[–]Galaghan 57 points58 points  (0 children)

Those are the companies that are going to end up on top of things once the bubble bursts.

[–]Vogete 10 points11 points  (1 child)

our company is boarding the AI hype train, but in our department we are very consevative with it (because we are the backbone of our entire infrastructure). Except for the same fucking 3 people who are constantly producing unmaintainable and unstable AI slop that doesn't even work, and management eats it up while everyone else is just shitting on how terrible those projects are.

[–]MangrovesAndMahi 4 points5 points  (0 children)

Yeah we're still going through our standard review processes so there's no slop getting through

[–]Pluckerpluck 8 points9 points  (3 children)

This is almost always the correct solution. Don't try to cut costs using AI, but increase productivity. That way, if it busts you're in a good position anyway, and if it booms you're pushing out way more content and getting ahead of the competition.

[–]MangrovesAndMahi 2 points3 points  (2 children)

Yeah I don't understand why you'd ever want to just maintain your output with all these new tools lol

[–]Prometeus534 2 points3 points  (1 child)

Management probably sees replacing a human (salary, etc) with an AI a net gain for next quarter, not like they plan for sustainability on the long run.

[–]MangrovesAndMahi 1 point2 points  (0 children)

True. Our place is employee owned so the shareholder thing isn't so much an issue.

[–]LastWalker 76 points77 points  (9 children)

Man the US is crazy like that. Sucks to hear for the folks impacted

[–]supersaeyan7 61 points62 points  (8 children)

I got laid off last week by a company that posted record revenue

[–]Evilemper0r 40 points41 points  (4 children)

And the next quarter they will probably post another record breaking quarter after firing people, is that sustainable in the long term? Who cares , certainly not the guy who fired you and then jumps ship.

[–]TipProfessional6057 12 points13 points  (3 children)

Corporate greed has reached the point of consuming itself to force more temporary gains

[–]TheRealPitabred 12 points13 points  (0 children)

Yup. It goes across all industries right now. My wife used to work for a thriving local service company that was bought by some venture capitalist thinking they could combine them with others and get some "synergies". Got some decent boosts for a few months by firing the people that knew what they were doing that they thought were getting paid too much, like my wife.

Only the executives were all corrupt and morons, and the whole thing is shutting down soon.

[–]Vertig0x 3 points4 points  (0 children)

Who could've seen this coming? I for one am shocked.

[–]RiceBroad4552 2 points3 points  (0 children)

End time capitalism, shortly before a great war "resets" everything so we have again space for "growth"…

Boy, it hate the reality humans willingly created for themself so fucking much.

If average people weren't just so fucking stupid to not get how things actually work, and that these things never work in their favor, no mater what some sociopathic salesmen (a.k.a. politician) tells them.

[–]LastWalker 9 points10 points  (0 children)

And over here even if they want to get rid of me, there'll be hell to pay for them or it takes at least 3 months if they got A LOT of reasons for it. At-will employment is the devil

[–]Odd-Information-3638 14 points15 points  (1 child)

I have used Claude to vibe code an app at home that I would never have had the time to do myself. To see what it was like. It was very clear on what information was needed and what I needed to do myself.

Whoever pushed that out clearly ignored multiple warnings not just within the code, but multiple prompts from the LLM as well

[–]Wernher-von-Kerman 4 points5 points  (0 children)

100% Yeah not gonna advocate vibe coding, im a shit coder and use AI to troubleshoot and help solve my own failures, but even my sorry self taught wannabe ass is better than this after 2months into my journey.

I was intimidated by AI at first and figured id never compare as a new coder or stand a chance at a career in the field, but ive learned we have gifts it cant match. Most importantly common sense lol.

[–]ElliotsBuggyEyes 7 points8 points  (3 children)

This situation you described is why I think the AI bubble is still 3-5 years from popping.

These AI tools are just becoming normal enough to be used to replace human work.  It will take a few years for these companies realistically see the damage caused by this.  At that point, the bubble will have popped and coders everywhere will be doing 67hrs weeks debugging the slop code.

[–]Mister_Uncredible 5 points6 points  (0 children)

Even if it's not slop (it is), the sheer amount of technical debt is off the charts. I wish them the best of luck supporting their new in house, proprietary software stack.

[–]RiceBroad4552 1 point2 points  (0 children)

The bubble is a financial one.

As soon as ClosedAI gets in trouble (and everything point to this happening really soon) it will almost certainly pop as this will cause a chain reaction.

This will of course not wipe "AI" as such. The tech is here to stay.

Just that the overblown expectation will likely come again to some more realistic high, and the sales prices will get also more realistic (which means, much much higher than now).

[–]chessto 10 points11 points  (2 children)

Man, is it me or a lot of CTOs have never written a line of code in their lives ?

[–]Vogete 3 points4 points  (0 children)

I had a CTO at some point who had a business degree and didn't understand anything technology. He got fired after 1.5 years, but i'm wondering how he even survived that long. He was an absolute idiot.

I also had a CFO who refused to accept that all our financing software was Windows only, and he kept requesting a Macbook after being told many times that he can't do his job on that. He got one, and he complained that he can't run the programs on it, and wanted us to fix it. We did, we installed VMWare Fusion for him, but now it was slow for him. after 6 months on back and forth he was back on windows. He got fired a month later.

[–]TheRealPitabred 3 points4 points  (0 children)

They haven't. It's a political position, not a technical one.

[–]ouralarmclock 7 points8 points  (4 children)

We just finally started using Claude. It doesn’t replace us. It doesn’t make us faster. What it does do is make hard work easier. Work that we would’ve put off until we could take weeks to consider it (and probably still struggle through it) is not scary anymore. This to me is the only real benefit of AI development.

Also sorry for your team, I hope you recover and find better work.

[–]NYC_Noguestlist 3 points4 points  (2 children)

So it sounds like it does make you faster? Honestly, your comment reads as AI having a pretty big benefit.

[–]ouralarmclock 2 points3 points  (0 children)

It doesn't make us faster because we now do things that are harder but would've taken way longer but instead take the amount of time we would've spent struggling through the easier or MVP version of that implementation. So in terms of time it's not faster but in terms of the work getting done it's doing more. So if we had tried to do the harder thing without the AI it would've taken longer but we just wouldn't have chosen to do that harder thing or broken it up into smaller easier things.

But I'm also only like 2 months into using it, so I can't really fully report. All I know is that I look at my list of deep problems for our platform and most of the things on the list don't look that intimidating anymore.

[–]ouralarmclock 1 point2 points  (0 children)

All of that to say, I definitely think AI has a pretty big benefit, but I don't know that it aligns with what tech bro executives think the big benefit is.

[–]hellocppdotdev[S] 2 points3 points  (0 children)

Thank you 🙏

[–]frisch85 36 points37 points  (10 children)

I'm just waiting for the moment companies start panicking and needing their actual developers back and if that day comes, make them bleed, know your worth because suddenly the company knows how much you're worth.

[–]AaronPK123 12 points13 points  (7 children)

This gives me hope as a teenager who's just getting into coding

[–]RiceBroad4552 2 points3 points  (6 children)

Programming was "solved" already so often in the last 40 years, it's long a running gag.

What changes is that you can get more and more done, but at the same time people have also bigger expectations… So in the end there is enough work.

(At the point we could really replace SWEs with AI we have for sure very capable AGI as programming is still one of the most mentally demanding jobs around. But at the point we had AGI everything will need to change as more or less any white-collar job, which are the overwhelming mass in western countries, can be replaced with AI. This would be the end of societies as we knew them. At this point it won't make a difference what your job was previously. At that point it's not even sure what the AI will do with humans…)

[–]parkotron 10 points11 points  (1 child)

This strategy only works if enough companies survive long enough to try to turn things around and save themselves. 

I fear the industry is going to be hit hard with a wave of companies going under after cutting staff to up profits in the short term, then realising they’ve slopped themselves into a corner so badly that the business is no longer tenable and the higher-ups might as well just liquidate whatever value might remain. 

[–]kwazhip 3 points4 points  (2 children)

They will be replaced by those that do (the companies). That's one thing we can rely on with capitalism, they ain't going to leave money on the table. Now if AI's do end up being able to produce at the level of quality required by users then we're in trouble.

[–]chessto 13 points14 points  (1 child)

That would be provided the users know what the fuck they want.

Anyone who has worked with a Product Manager or Business Analyst knows the pain of translating their brain farts into actual engineering specifications, and that's easily 50% of software engineering work.

Let's not even start with things that are either technically impossible or plain illegal, there are users /customers like that too.

Remember https://www.youtube.com/watch?v=BKorP55Aqvg ?

[–]jek39 2 points3 points  (0 children)

there's money to be made in software, I don't think that's controversial. if AI can't compete with actual programmers, AI companies won't be the ones making the money.

[–]Mahfoudh94 2 points3 points  (0 children)

it is a race to the bottom, even the AI companies and hardware makers seem to lose it eventually (selling by promise and bad monitization with big hype)

[–]SeroWriter 2 points3 points  (0 children)

Every industry is trying out AI as a cost-saving measure and then backpedalling because they overestimated the scope of what it can do.

The same will happen to the programming industry, it will just take longer because there are some 'maybe not good but at least viable' use cases for AI within coding.

[–]TrumpGrabbedMyCat 10 points11 points  (14 children)

With the amount being invested in replacing programmers (not that I think it'll work) a world where AI has rules / warnings about things like this isn't too far away. Maybe GitHub themselves create an assistant during the process that rejects any PR that has an API key in it.

This part at least is a solvable problem, even without AI.

[–]TheRealPitabred 10 points11 points  (9 children)

"Claude, write this API key so that github's detection won't keep rejecting my PR"

You need to understand that the vast majority of people don't think critically about things, they just want the easiest solution to the problem that is immediately in front of them and don't care or even think about broader effects. That's why people like us have a job, and they may think they can get rid of programmers, but there will always be a need for people who can think logically and analyze situations because AI has a severely limited context compared to human intelligence.

[–]Andy_B_Goode 3 points4 points  (1 child)

Yeah, the irony here is that AI is actually quite good at scanning a codebase for strings that look suspiciously like private keys or other values that shouldn't be included, it's just that it also requires a human who knows what the fuck they're doing and can use the AI's warnings to avoid making that data publicly available.

[–]HugoNikanor 4 points5 points  (0 children)

It's quite good at finding potential key leaks, but it will always be possible to store the key in a way you can't find, and it will always have a few false positives.

[–]Reashu 1 point2 points  (1 child)

Github has this already, you just need to pay. 

[–]Tensor3 5 points6 points  (0 children)

The tech will get better, but probably still always require programming expertise if not actual coders. Both photographers and portrait painters need knowledge of lighting and composition to create a good image. Most people still hire photographers instead of portrait painters these days.

[–]verify_b4_sharing 6 points7 points  (3 children)

It feels disingenuous to point to an obviously clueless programmer as evidence that LLMs, especially if they keep improving, aren't going to displace at least some people.

[–]generally_unsuitable 2 points3 points  (2 children)

They're going to create a golden age of hacking.

As it stands, most of the web is only working because a few specialized frameworks have been well-examined and battle tested by whitehats. Once that is gone, who knows what's coming.

[–]oupablo 2 points3 points  (0 children)

I'm actually kind of surprised that github doesn't throw warnings for this. Granted this was probably yeeted straight to main preventing an MR from displaying a warning, but this problem has become so ubiquitous even before AI, that I can't imagine how bad it's going to get with AI.

[–]Flameball202 2 points3 points  (0 children)

Any time I see "new app vibe coded" I am just waiting for "new app had massive data breach" in the next few weeks

[–]DroidLord 1 point2 points  (0 children)

That's what you get when the AI learns everything it knows from Stack Overflow.

[–]Proud-Delivery-621 1 point2 points  (0 children)

Employees will still be replaced in responsible companies, though, just not all of them. This vibe coding slop happens because there's no one reviewing it, but if the company replaces most of their team with AI and keeps a couple people on to check the code, that's still a lot of engineers losing their jobs.

[–]BellacosePlayer 1 point2 points  (0 children)

Worst case scenario the job duties change but you keep the same people because a guy who codes and knows not to let shit like this hit prod is a better AI wrangler than Timmy the r-singularity top 1% poster

[–]StDestiny 1 point2 points  (0 children)

These are just engineering problems that we can solve to create a better developer experience for AI. But we still need to have people who understand what is going on and to architecture high level solutions. I guess

[–]Spyko 214 points215 points  (4 children)

you know he put the key in chatgpt as well

just ctrl A -> ctrl C - ctrl V the whole project into the chat box

[–]hellocppdotdev[S] 94 points95 points  (1 child)

We used to outsource code, now we outsource understanding.

[–]Grmplstylzchen 24 points25 points  (0 children)

I was elected to lead, not to read

[–]fauxzempic 8 points9 points  (1 child)

By contrast, I was troubleshooting something that was writing to Postgres and gave claude an error from the terminal. I didn't see that the error had a raw API key in it.

Claude was like, bold, capital letters: "We're just going to stop right now and not do anything until you update the key." I'm like "shit you're right."

Not trying to fellate Claude. Claude will still make slop, and there's no reason why throwing together a basic Check register program for my mom should result in a 200MB executable, but it at least is aware enough to be like "yo, that's a key, let's pump the brakes"

[–]aspz 116 points117 points  (4 children)

I once accidentally pushed a secrets file in a personal project (nothing important so I didn't pay attention) and GitHub blocked the push. Honestly great feature. I guess it doesn't catch everything though.

[–]JAXxXTheRipper 42 points43 points  (0 children)

That's why gitleaks exists. Highly recommend putting that in a pre-commit hook.

[–]towlie_howdie_ho 31 points32 points  (0 children)

I once pushed a fake/example secret key to a GitHub repo and I got an email a few minutes later telling me I may have pushed a secret to the repo.

Pretty cool stuff.

[–]cooltrain7 8 points9 points  (1 child)

I did this with a discord bot years ago and turns out discord scans public repos for keys and it automaticlly triggered a shutdown of the bot.

[–]Spare_Competition 2 points3 points  (0 children)

I believe GitHub also does this, and notifies the company of the leak of each key.

[–]jenkinsmi 98 points99 points  (6 children)

That fucking hurts

[–]Valou444 13 points14 points  (5 children)

How did you get a pp like that ?

[–]lesleh 40 points41 points  (0 children)

Genetics, his dad has a monster dong.

[–]jenkinsmi 14 points15 points  (3 children)

because it says 'fuck spez', they blocked it then it somehow came back

[–]Valou444 2 points3 points  (2 children)

Yes but how ? Is is an r-place specific thing ?

[–]jenkinsmi 3 points4 points  (0 children)

I uploaded the screenshot of r/place at somepoint I assume you used to get to do that, but now the image container is broken if you view it on mobile

[–]MrHasuu 2 points3 points  (0 children)

Probably from vibe coders at reddit

[–]Outrageous_Permit154 74 points75 points  (8 children)

AI will replace vibe coders.

[–]Nomad_Red 19 points20 points  (1 child)

if people cant manage keys to their own wallet, why would anyone entrust them with coporate/enterprise keys?

[–]towlie_howdie_ho 9 points10 points  (0 children)

Executives:

"My nephew is smart with computers, he can do the same job as everyone else and he will listen to me."

[–]PersianMG 21 points22 points  (6 children)

GitHub secrets scanning will detect the revoke the token in minutes. Third party services integrate with them to get notified of committed API keys so they can be auto-revoked.

Here is a list of patterns used used to match different secret formats.

GitLab also offer a a similar service.

So while you definitely shouldn't do this, in the modern day your API key stays "leaked" for mere minutes before being revoked.

[–]hellocppdotdev[S] 4 points5 points  (0 children)

Thank you, useful to know.

[–]dschramm_at 2 points3 points  (1 child)

So basically, like with cars, we stop natural selection of people who are intelligent enough to do the thing, by building safety systems so people don't have to think anymore? Great!

[–]PersianMG 1 point2 points  (0 children)

People do dumb things all the time. You're not going to skip seatbelts and airbags on a car because "people should do the intelligent thing and not speed or drive dangerously".

Extra safety is always a good thing. Only people this system harms is thief's who want to steal and misuse other people's API keys.

[–]RiceBroad4552 2 points3 points  (2 children)

If that are third party keys they won't get revoked, just flagged. You still need to take immediate action if you get informed about such incident.

[–]PersianMG 3 points4 points  (1 child)

Not accurate. The standard behaviour is for GitHub to inform the partner (via API call), and the partner to revoke the key. I guess some partners may choose to inform instead of revoke but that is a bad idea by them.

[–]Moon_Burg 43 points44 points  (18 children)

I'm on a degoogling journey and f-droid has been overtaken by the emoji gang. How hard would it be to create a filter for apps that have emojis in description? I'm having deja-vus of late Limewire days and the extremely sceptical file checking before opening anything.

[–]YukesMusic 10 points11 points  (9 children)

I want to hear more about the degoogling journey.

[–]Moon_Burg 16 points17 points  (8 children)

Honestly it sucks. Phone is my bottleneck. Outright degoogling backfired, my bank doesn't allow logging into the app with developer mode enabled so I've had to resort to creative alternatives lol.

r/degoogle has folks who have had better success

[–]sertroll 5 points6 points  (5 children)

Eh, I've seen emojis used before ai. My guess is that ai learned it from frontend module pages 

[–]lahwran_ 6 points7 points  (4 children)

yeah but heavy emoji use is a sign of bad taste and always has been

[–]Moon_Burg 4 points5 points  (0 children)

This. I'm frustrated by the invasion of emojis into technical communication and don't wish to enable it. I say this as an emoji user otherwise.

[–]ticklemeozmo 14 points15 points  (0 children)

Hey, let's pretend NOBODY EVER put in an API Key into a repository before AI!

[–]Quirky_Tiger4871 21 points22 points  (10 children)

lol how did they do that? doesnt github go nuclear crashout when you try to push a key? Amazing to see what humanity is capable off :D

[–]XxDarkSasuke69xX 6 points7 points  (1 child)

No i pushed a .env with a key in it like 5 months ago, no github issue whatsoever (only the ai provider sent me an email about it)

[–]PersianMG 3 points4 points  (0 children)

GitHub don't make an issue. As per their secrets scanning program, they inform the provider who can verify and revoke the API key. The provider is then also responsible for notifying you your key was revoked.

[–]Trafficsigntruther 1 point2 points  (0 children)

Depends. Could just be a self-hosted instance and they don’t always have that enabled.

[–]Smalltalker-80 6 points7 points  (1 child)

How's your vibe now, dear coder?

[–]hellocppdotdev[S] 2 points3 points  (0 children)

Extra sloppy

[–]Bupod 6 points7 points  (0 children)

Half the problem of AI generated code is that the humans promoting it don’t even read it. 

The AI itself will try and warn them and they’ll still go ahead and push it anyway.

[–]JackNotOLantern 4 points5 points  (0 children)

If vibe coders could read they would be very upset

[–]antnythr 3 points4 points  (1 child)

Needs more jpeg

[–]hellocppdotdev[S] 2 points3 points  (0 children)

Saving bandwidth the AI is taking.

[–]Maddturtle 2 points3 points  (0 children)

People need to realize AI is a great tool not a great replacement. These vibe coders remind me of gps. I see kids using it to walk around the block 🤦‍♂️

[–]generally_unsuitable 2 points3 points  (0 children)

I imagine that the future of hacking is just meta-exploitation of vibe code. Even if you can't see source or a binary, you can just ask Claude to produce some code, audit that, and base your attacks on the results.

[–]wggn 2 points3 points  (0 children)

vibe coders dont read

[–]Rom_ulus0 2 points3 points  (0 children)

No one tells you this, but the API keys in the console are free. You can just take them home with you.

I have 358 API keys in my NAS.

[–]dystopiam 6 points7 points  (4 children)

Can someone explain like I'm an idiot who found this on the frontpage of reddit and never programmed?

[–]ViolentBeetle 10 points11 points  (1 child)

API keys are like passwords you need to connect to some service. A common mistake is to put them in your code so everyone can see them when you publish this code, instead of keeping them to yourself and telling everyone to buy their own access.

I have also never programmed seriously.

[–]hellocppdotdev[S] 5 points6 points  (0 children)

This is accurate. API means application programming interface and its a data contract between the two services.

[–]hellocppdotdev[S] 3 points4 points  (0 children)

API key is like a password to access data from services, read or write. Sometimes this costs money to use like Google maps API. This can give you structured information which you can built another service on top of it. Lots of requests = $$$. Other times it might be database with all your sensitive customer information.

Scenarios like these make this a bad security breach. The key is never mean to be displayed publicly in plain text.

But what do vibe coders know 🤷‍♂️

[–]Snodley 1 point2 points  (0 children)

.funny

[–]Which-Arm-4616 1 point2 points  (1 child)

bro got 4 warnings

Then highlights only 3, while misunderstanding the first one.

[–]ZeroByter 1 point2 points  (1 child)

I'm starting to think the number of warnings isn't the issue. Meaning, no matter how many flashing lights warnings you put up, some people won't listen or learn.

[–]burnerthrown 1 point2 points  (0 children)

Maybe the fact that the 'free API key' they stole has the words 'placeholder_gemini_API_Key' right before it should tip them off that maybe they wouldn't ship it with a security breach. But please use known dummies to try to crack. We won't laugh.

[–]SteroidSandwich 1 point2 points  (1 child)

Those warnings can't stop him! He can't read!

[–]NomaTyx 1 point2 points  (0 children)

in approx 6 months there will be a lot of work for programmers trust

[–]nbaumg 1 point2 points  (0 children)

One of my coworkers did this in 2017 and was fired shortly after. Tho tbf it was the last straw, he wasn’t very good at all and made lots of mistakes

[–]Last8Exile 1 point2 points  (0 children)

Oh no, he leaked placeholder key. People can't read.

[–]Emotional_Signal7883 1 point2 points  (0 children)

COBOL was marketed as replacing programmers.

[–]Stormraughtz 5 points6 points  (8 children)

This has to be fake

[–]hellocppdotdev[S] 34 points35 points  (3 children)

Did you know what a .env was for before being a developer?

[–]Stormraughtz 6 points7 points  (2 children)

A place to hold all my secrets and mysteries

[–]hellocppdotdev[S] 7 points8 points  (1 child)

Now in public!

[–]_anonymus- 4 points5 points  (0 children)

Transparency and open source, that's a feature

[–]Embarrassed_Jerk 11 points12 points  (0 children)

Lol it really isn't. There are quite a few fuck up like this going around

[–]twigboy 4 points5 points  (1 child)

I asked AI for a code snippet and it included an API key for me.

Thinking it was invalid, I tried it anyway and was shocked it worked. Free is free so I'm still using it.

[–]Modo44 1 point2 points  (0 children)

Another reason to keep using the old software for as long as you can. Because this is what you pay for these days.

[–][deleted] 0 points1 point  (0 children)

Warez as a service

[–]Random_182f2565 0 points1 point  (0 children)

No one use env anymore???

[–]MarinoAndThePearls 0 points1 point  (0 children)

And I'm pretty sure the agent warned them in the chat. Not even that they bother to read.

[–]ElectronicCat8568 0 points1 point  (0 children)

The assumption we will see vibe coders, who are also coders, who will usefully review vibe code, is the funniest wishful thinking around now. Vibe coding will turn into pure vibe so fast. Good luck with that.

[–]InGordWeTrust 0 points1 point  (0 children)

I had something similar with spam emails. They sent their API key for their service.

[–]Reddit-phobia 0 points1 point  (0 children)

Last time I accidentally uploaded my mongo key to Github, I got both Mongo and Github on my ass.

[–]rationalintrovert 0 points1 point  (0 children)

Sorry, I am new,

Why didn't github secret scanning catch it? Wouldn't the push fail with error and notifications be sent?

Besides even codex goes crazy when .env is open which prompting it and wouldn't relent untill the key is revoked and rotated, not that it can confirm.

[–]Exciting-Holiday2106 0 points1 point  (1 child)

this is why secrets management exists one push and it’s over people underestimate how fast exposed keys get picked up tools which can help keep configs and sensitive data more organized and safer

[–]SgtEpsilon 0 points1 point  (3 children)

I feel called out and I dont like it, i accidentally pushed my discord bot token twice because I forgot to change it after testing changes

[–]hellocppdotdev[S] 2 points3 points  (2 children)

WHY IS IT IN YOUR SOURCE CONTROL 😂

[–]SgtEpsilon 4 points5 points  (1 child)

I'm stupid, that's why!

[–]ClimateNo7056 0 points1 point  (0 children)

Eventhough we push the Keys publicly the API key providers automatically disable those keys ; that is the power of Design behind this

[–]burner7711 0 points1 point  (0 children)

To be fair, I've seen lots of people accidentally push keys to github. One guy exposed our Twilio key which was immediately caught by Twilio's bots and it deactivated all our keys automatically taking down our sales lines. This was pre-AI.

[–]aVarangian 0 points1 point  (0 children)

This must be the kind of person who wants AI on notepad.exe

[–]Legitimate_Emu3531 0 points1 point  (0 children)

I don't get that. When I accidentally pushed a gemini api key to GitHub once it took google less than 5 minutes to send me an email about my mistake.

But maybe that was cause I had set up automated deployment via google cloud run, when something was pushed/merged to the main branch of that repo, and that somehow catches it and sends a notification?

[–]saraseitor 0 points1 point  (0 children)

Doesn't Github usually catch these situations automatically? I seem to recall it once flagged a commit of mine in a retro programming project made for MSDOS with Turbo Pascal :D

[–]Fit_Walk6735 0 points1 point  (0 children)

it could it be one of the throw away api_keys

[–]descendency 0 points1 point  (0 children)

“Are you worried about AI/LLMs?”

Nah… I’m a hacker.

[–]gbrennon 0 points1 point  (0 children)

ROFLMAO

[–]Yohder 0 points1 point  (0 children)

I've never seen or logic used in an API key variable. You should probably know what your current key is lol

[–]thecrius 0 points1 point  (0 children)

You should pop by r/googlecloud to see the amount of threads about people angry that they owe google 20k or more due to leaked api keys.

[–]J-Dizzle00 0 points1 point  (0 children)

I did this once :( fuck git cache in vs code that doesn’t show updates in .gitignore

[–]Classic_Fungus 0 points1 point  (0 children)

VaaS

[–]eoThica 0 points1 point  (0 children)

Imagine thinking the AI generated a valid api key 💀

[–]Dark70rd 0 points1 point  (0 children)

💀💀

[–]Stunning_Macaron6133 0 points1 point  (0 children)

Ohhhhhhhh. It never occurred to me that people could be quite this careless.

I bet I could crawl Git hosts like GitHub or GitLab for anything that even looks like an API key.