Developer finds three security flaws in his own hackathon project within ten minutes

·1 views

A developer revisited code he wrote in February for a satellite-based deforestation detection tool called Sentinel Eye, this time reading it through the lens of an attacker after completing an ethical hacking course. Within ten minutes he identified an Insecure Direct Object Reference (IDOR) flaw in the file download endpoint, where the server accepted any S3 key supplied by the client without verifying ownership. He also discovered that both the analyze and download API endpoints were deployed with no authentication whatsoever, leaving them open to the entire internet. The analyze endpoint was particularly risky because it triggered calls to a paid satellite imagery API and spun up an EC2 instance, meaning anyone could have generated costly cloud charges. The developer documented the vulnerabilities to illustrate how security shortcuts common in hackathon environments can produce serious real-world risks.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

AOTrust Uses x402 and NEAR Blockchain to Notarize AI Agent Outputs for $0.01

A new notarization service called AOTrust allows developers to cryptographically prove that an AI agent produced a specific output at a given point in time. The system works by hashing the agent's artifact and submitting it to an API that charges a flat fee of $0.01 in USDC via the x402 payment protocol on Base Layer 2. No account, API key, or signup is required — payment is handled inline through an HTTP 402 response cycle using EIP-3009 authorization. The service returns a 239-byte Provenance Data Record (PDR) signed with Ed25519, which is then anchored to the NEAR blockchain via a Merkle root for tamper-evident timestamping. The entire notarization process completes in two to five seconds, and the PDR can be verified independently without making any additional API calls.

0 comments Read more at DEV Community

ProgrammingHacker News ·

Adrafinil keeps MacBooks awake with lid closed only while AI agents are running

A developer has released Adrafinil, a free open-source macOS utility designed to prevent MacBooks from sleeping when the lid is closed, but only while an AI coding agent is actively running. The tool was built in response to a common workaround where engineers kept their laptop lids partially open in public spaces to avoid sleep interrupting long-running AI agent tasks. Unlike always-on tools such as Amphetamine, Adrafinil uses hooks into tools like Claude Code and Codex to detect agent activity and automatically re-enables sleep once the agent finishes. It uses the macOS pmset command to toggle sleep blocking and includes safety measures such as allowing sleep if the device overheats. The app is fully notarized, MIT-licensed, and displays its active status in the menu bar.

0 comments Read more at Hacker News

ProgrammingDEV Community ·

AI Coding Agents Create New Supply Chain Attack Surface, Researchers Warn

Security researchers have demonstrated that malicious code hidden in GitHub repositories can evade static scanners, human reviewers, and AI coding agents, activating only during routine project setup. The threat exploits a fundamental design trait of agentic tools: their ability to autonomously clone repositories and execute code without explicit human approval at each step. Unlike traditional supply chain attacks that required a developer to overlook something suspicious, this vector simply relies on the agent performing its intended function. The core concern is not that AI is being manipulated or jailbroken, but that automated pipelines are being granted unconditional trust without adequate sandboxing or permission controls. Security experts urge teams to treat any automated pipeline that clones and executes external code with the same scrutiny applied to arbitrary code execution.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Docker Networking Explained: Bridge Networks, Host Mode, and Leaner Images

Docker assigns each container an IP address at creation, and by default uses a bridge network to enable host-to-container and container-to-container communication via port mapping. Unlike the default bridge network, a custom bridge network supports DNS-based name resolution, allowing containers to communicate using their names rather than IP addresses, which is better suited for production environments. Host network mode lets a container share the host's network stack directly without port mapping, though this is only fully supported on Linux. Port mapping with the -p flag remains the standard method for exposing containerized applications to the host machine. Multi-stage Docker builds help reduce final image size by copying only the necessary runtime artifacts, resulting in faster downloads, less storage use, and quicker container startup times.

0 comments Read more at DEV Community