Being in security I laughed because of how egregious it was but also because I knew someone on HN with some actual time on their hands to help properly would be along soon.
I also appreciate this post mortem. Vibe-coded anything in prod is a lot of my work load in IR these days but it was nice to see such a low stakes project properly documented.
People need more understanding of the risks of vibe coding and YOLOing to prod with these tools. They are powerful, but like all powerful tools, can be wielded irresponsibly.
most in-use LLMs prompted with a simple "You're in charge of infrastructure security, let's review possible problem points" would have uncovered this.
I wouldn't fault a compiler for erring when someone left out a period; i'd tell the person to start including it -- but for some reason the expectation for LLMs is hands-off work ; I guess we're just in that phase of the hype at the moment.
I'd fault it if it silently injected multiple serious vulnerabilities.
The expectation is the same as the expectation for self driving: users expect it to be fully hands off, even when they are explicitly told they need to keep their hands on the wheel.
This is because it's tricky, tedious, and unejoyable to thouroughly vet the actions of a machine in realtime.
Not sure what's being marketed, but I expect mediocre.
Am I the only one that feels like it’s really condescending when people say this on the internet?
It sounds like something you would see on a community college writing assignment
If someone asks for a better way to word something to reduce reader hostility to their point, I assume that they will be better off for knowing the answer to that question, and can decide for themselves whether they want to change their writing style or not - and, whether they do or do not, the effects of their writing will be more intentional.
I don't really know what you want me to tell you about it. The swastika per se as I recall had to be drawn backwards, because there is no meaningful overlap between its outline and that of a fish, so unlike the penis case this is very easy for the classifier. It wasn't clever and it wasn't funny. Several people reported it and it quickly disappeared, whereupon apparently someone decided we shouldn't have nice things, or not for a little while at least.
So think of 4 Chan but fish. Like the entire screen.
50 of the fish are just regular fish with slurs written in them.
There’s like 10 swastika fish moseying around.
And then you have the odd fish with like an Isreali flag with…let’s say stereotypical features for the face.
> But if you had the displeasure of viewing my website between the hours of 2AM (20 minutes after I went to sleep) and 8AM (when I woke up) EST on Aug 3, then you would have seen chaos. Every single username was transformed to a heinous slur, many unsavory fish had made it into the fishtank, and many beautiful fish were gone.
At some point, asking for more starts to seem like rubbernecking at a car crash, you know?
Curious if you were inspired by Lego's build-a-fish* exhibit at the Lego House? I visited recently and it is ridiculously addictive to see a fish you create swim with others :)
This is so true. This post mortem also highlights a reason why so many of my side projects have died. There’s always a point where I need to get into the actual boring work of the project.
POST https://fishes-be-571679687712.northamerica-northeast1.run.a... {"fishId":"xxxx","vote":"up"}
In those cases you'd be denied votes since someone else used them up
Added :) https://aldenhallak.com/blog/rss.xml
That said, the 2021 OWASP Top 10 had "broken access control" in the top spot already, prior to the real takeoff of vibecoding: https://owasp.org/www-project-top-ten/ - curious to see the 2025 update.
https://drawafish.com/rank.html?userId=1754341779700_log2xle...
Edit: it's been deleted.
Pretty mild, all things considered.
Is it pretty common to get doxxed for getting to the top of HN?
Just ignore the trolls and wait for the fish mods to ban them.
But if you show HN something... and it makes HN-reading KF users think "OH EXPLOITABLE!!!111!" so they post it to KF... they're basically going to test if your moderation works or not. If you only have some automated rules or even "AI" as the moderation, not humans, then they're very quickly going to work out what gets past your automated filter and what doesn't, faster than 4chan can make Microsoft's Tay say "Hitler did nothing wrong".
Then the KF users will gloat about the slur-ridden fish they've made.
Then KF-reading Sharty users will learn about it, the rest of the Sharty will join in the game.
Then they'll get angry that your "normie" userbase has given a Palestine flag fish named "River to the Sea" the most upvotes, and an Israel flag fish the most downvotes, they'll want to cheat and hack their own creations to the top. So they'll start looking for an admin interface.
When they find one, but find it needs credentials, the first place they'll go looking for password clues is all your socials, all your previous forums, basically your whole identity. And if they hit paydirt, of course they'll post whatever they find, because for them, doxxing people is fun too.
IANAWD: What is more appropriate than an admin token being able to authenticate admin actions?
It's like I have a security access card to gain entry to a building, it's not really serving its purpose if I give you my pass and you turn up, they need to check it belongs to the person presenting it.
I can draw a fish facing left, but for some reason it's very difficult to draw one facing right.
Here in Zurich there's a mural of maybe twenty dinosaurs (not accurate but something that looks like it would be in a children's book). One day someone drew a dick on every single dinosaur. Even the flying pterodactyl had a big dick hanging off of him. It was so puerile and primitive it cracked everyone up that saw it. No tags. No football club graffiti. Just dicks everywhere. Thankfully the mural was repaired pretty quickly.
Edit: yes, the site too terrible to name as evidenced by the reply to this comment becoming dead within minutes l-o-l
But even before LLM coding, I had team members walk into its numerous footguns - especially around public buckets and bad firestore rules. How many of these stories are really to be blamed on the AI tooling, and how many could be blamed on the very poor default settings of Firebase?
> It is really fun to just have high velocity, and it is really fun to not do code reviews and to just push stuff.
Was slurfish fun?
Looks like if you don't like doing deep and thorough code reviews, LLM-generated code is not for you.
As the author concludes, "...LLMs are a tool. They let you generate a lot of code really fast...it is up to you to review it"
Yes.
It was for someone!
Later I saw images of the attacked site posted elsewhere and thought they were both predictable and hilarious.
At least people trying to see if they can get around a fish detector are going to preferentially submit toilets and tires (and dicks, sure). :)
Honestly - i think often so many people take tech very seriously so seeing this is quite refreshing and genuinely interesting from small side coded project point of view.
Trying to understand better where the JWT vulnerability was here, you said: “So you could log in with my username and password, grab the JWT, and then send that along with your request.”
Am I understanding here that you weren’t validating the sub/userId or role in the JWT? I.e. any user with a valid JWT could hit the admin api endpoints? Or did I misunderstand that?
Well, there ya go.
To be fair, it says the attention was unexpected, and this was just a coding exercise... And the port-mortem shows what I'd hope to see: digging in and figuring out root causes. So I'm not judging OP poorly over this.
But still. Launching a vibe-coded app that accepts input from anonymous users is just asking for trouble. I'm frankly surprised it ran as long as it did without such problems. (Although I did see a few weenies swimming around even before the problem hours.)
The lesson I'd pull from this is that if you are not the type of dev who could put together a post-mortem along these lines... don't launch a vibe-coded app.