I wouldn't be so optimistic. There are often credentials to other systems (like ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

quacker on Aug 30, 2017 | parent | context | favorite | on: Multiple vulnerabilities in RubyGems

I wouldn't be so optimistic. There are often credentials to other systems (like databases, etc) on such servers, plus they now have access to the private network(s) the compromised server resides on. It gives the attacker the opportunity to serve exploits to users, to forward incoming requests from users to external servers (maybe there's an auth token or something they can use), and tons of other stuff.

lotyrin on Aug 30, 2017 [–]

Yep. Even if you only owned a perfectly sterile (no secrets) proxy tier to a distinct service tier, you are placed in the path of requests from clients to those services and can thereby extract credentials (passwords, tokens) or PII (names, emails), which would still be unacceptable.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact