Devin AI security vulnerability discovered live on stream [video]

Interesting comment from @Topfi last time this was posted (6 points, 2 days ago) <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42404132">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42404132</a>

Skipping over most of this (the vulnerability is not really investigated at all in the stream). But the gist of it is that &quot;access devin&#x27;s machine&quot; links are tough-to-guess but unauthenticated URLs, so anyone who has that URL has all the same access Devin does to your account.

I don&#x27;t want to watch a 55 minute stream to see what the actual vulun is. Can someone summarize?

I don&#x27;t know what Devin is but it sounds like this is just a case of using a high entropy uuid as a workspace address, it&#x27;s not that different than password auth if, say, your password was in the query string. Not great, but basically it&#x27;s &quot;anyone with a link&quot; method of sharing access.<p>Did Google Photos ever change their auth scheme? I know I was surprised once when I found out the direct URL of my jpegs was &quot;public&quot;<p>Here&#x27;s an archived link to the Twitter thread you can read without an account <a href="https:&#x2F;&#x2F;xcancel.com&#x2F;TheMidasProj&#x2F;status&#x2F;1867318553046921376" rel="nofollow">https:&#x2F;&#x2F;xcancel.com&#x2F;TheMidasProj&#x2F;status&#x2F;1867318553046921376</a>

I tried to watch this, but a young man’s silly antics are not educational for me. Maybe people who stream have to ham it up to get likes, but I’d rather see serious people at work.

It;s a funny stream, Devin spends one and half hours trying to push to master.