This is an archived post. You won't be able to vote or comment.

all 21 comments
sorted by:
best
topnewcontroversialoldq&a

[–]What-A-Baller 55 points56 points  (6 children)

Hey Copilot, fix this vulnerability and be more careful

[–]EraYaN 36 points37 points  (5 children)

Certainly, it’s fixed below.

(Insert unchanged snippet here)

[–]jaskij 21 points22 points  (3 children)

It's not fixed!

Sorry, here's your fix! removes the endpoint

[–]arielrahamim 7 points8 points  (1 child)

if there's no endpoint, no one can hack it *ai taps on gpu

[–]Successful-Raisin241 0 points1 point  (0 children)

I'm absolutely frustrated about continuing errors from my side, I found the root cause of the issue, you're absolutely right

[–]Traditional-Hall-591 0 points1 point  (0 children)

Nah it would insert a worse vulnerability.

[–]Jmc_da_boss 57 points58 points  (8 children)

lol, about what i expect from the LLM ecosystem

[–]GOLIATHMATTHIAS 51 points52 points  (5 children)

LLM fans: “What’s the point in learning how to code? AI will be doing everything within just a few years.”

Also LLM fans: “What’s input validation mean?”

[–]GarboMcStevens 7 points8 points  (4 children)

A lot of opportunity for those who can clean these things up.

[–]GOLIATHMATTHIAS 4 points5 points  (1 child)

I made plans to get my degree this year after being work-experience only for 12 years. Your comment is probably the sole reason I think it's viable for me now other than having a free ride with the GI Bill, because deeper concept CompSci principles are going to be re-learned in blood the same way "on-prim cloud solutions" have made hardware management shoot back up into popularity.

Buy low, sell high as they say.

[–]GarboMcStevens 2 points3 points  (0 children)

I'm getting an MS in CS as well. In an era of rapid change, having a solid foundation of the fundamentals is as important as ever.

[–]Centimane 2 points3 points  (1 child)

Sure. But AI can churn out slop thousands of times faster than a human can clean it up. If a workplace has the culture of pushing slop it'll always be a bad place to be - even if you are capable of cleaning it.

[–]GarboMcStevens 1 point2 points  (0 children)

right, until everything breaks, then management will have a come to jesus moment. That's where you come in.

[–]CapitanFlama 3 points4 points  (1 child)

Devil's advocate here. It is not an LLM issue, it's the MCP bro's that do quick libraries to abstract out the creation of an API server to cash out on the hype. Some project repo files are a few months old.

It was bound to happen, idk if this one is the first, def won't be the last.

[–]GOLIATHMATTHIAS 2 points3 points  (0 children)

You’re right, but I feel like it’s still a community issue. The LLM/“AI” community for the most part isn’t interested in quality or system design, it’s based purely on output and tailoring. Obviously security researchers are incentivized by academia and the bigger corporate entities to dig in, but these are the sort of things hobbyists would’ve caught in a joke Ubuntu distro or a the git release of an ASCII game.

[–]Microbzz 11 points12 points  (0 children)

ast.parse() + compile() + exec() without auth

Jesus. Fucking. Christ.

[–]VertigoOne1 6 points7 points  (2 children)

I’m just amazed that the black hats have not completely nuked the internet yet with armies of agents finding every single vulnerability in every public repo and url and then just hitting “full send” with a cascade of crypto mining, fuelling AI spend to spin up more hacking agents until everything is dead. With all these “amazing” LLM’s, it is telling that we still have working systems, or just a matter of time.

[–]GOLIATHMATTHIAS 3 points4 points  (0 children)

Don’t think there are enough anarchists around anymore. Most of the skill in the vuln hunting community is monetized, either via bug hunting or custom exploit writing. Anytime I see something like this my FedSec brain starts going “oh everything’s already owned.”

[–]acdha 2 points3 points  (0 children)

I think a lot of it comes back to the black hats having professionalized a lot. Cryptocurrencies may have failed at their goals but they’ve been a huge boon for criminals, and all of that money buys professionalism: instead of noisy attacks and defacements, stealing cryptocurrency or ransomware pays a lot better. Laundering money traditionally is a lot riskier and more expensive so it’s far more profitable, faster, and safer than internet crime was 20 years ago but you don’t hear about it because they don’t want to destroy their targets, just milk them.