[HN Gopher] Tesla.com/.gitignore ___________________________________________________________________ Tesla.com/.gitignore Author : nateb2022 Score : 332 points Date : 2022-11-25 19:26 UTC (3 hours ago) (HTM) web link (www.tesla.com) (TXT) w3m dump (www.tesla.com) | djegod wrote: | Ask myself what other files will be exposed? | mlindner wrote: | I think a lot of people in here are overreacting a bit. This is | an interesting curiosity that doesn't really have any baring on | any of Tesla's internal software. | [deleted] | jbverschoor wrote: | So basically you run an endless script to fetch | https://www.tesla.com/sites/default/settings.php and hope that | some day there will be a minor nginx config error which lets you | download the php source instead of executing it. | | This will happen some day, so invest 5 bucks per month to exploit | Tesla at a certain point, so maybe you can be first in line for | the Cybertruck :-) | TechBro8615 wrote: | This comment transported me back to 2010 or thereabouts when | this happened to Facebook. I remember being surprised at the | simplicity of the code and making a lot of jokes about "build a | facebook clone" ads on freelance websites. | rvnx wrote: | This seems to be a too sophisticated attack, sometimes | simplicity is better: https://samcurry.net/cracking-my- | windshield-and-earning-1000... | j-bos wrote: | Great read | grumple wrote: | Pretty sure every site on IPv4 gets probed multiple times a day | for common config leaks and other misconfigurations. Happens to | all of mine. | jbverschoor wrote: | Yeah, but if a gitignore tells you where to look for, and it | isn't even blocked by a WAF / rule, it makes an interesting | target, esp. one of the largest companies out there. | | You shouldn't even be able to execute settings.php | TechBro8615 wrote: | It's a good sign there might be an exploitable file upload | vulnerability, if you can find an endpoint that uploads | files to a directory that's served by Apache with the same | configurarion as the directory of the executable | settings.php | retrocryptid wrote: | Except that you'll find that error long before the cybertruck | ships. Heck, you'll probably see the rebirth of NFTs and BTC | over US$40000 before the cybertruck ships. | KevinBenSmith wrote: | Can't access it... | [deleted] | [deleted] | jjgreen wrote: | # Ignore configuration files that may contain sensitive | information. sites/*/settings*.php # | Ignore paths that contain user-generated content. | sites/*/files sites/*/private | [deleted] | codetrotter wrote: | Archived copy for reference https://archive.ph/C6qJ4 | datalopers wrote: | They've got something a bit more fucked up than just an exposed | .gitignore $ curl -si https://www.tesla.com/ | | grep generator x-generator: Drupal 9 | (https://www.drupal.org) $ curl -si | https://www.tesla.com/authorize.php | grep generator | x-generator: Drupal 7 (http://drupal.org) | | So they have at least two versions running at the same time. The | /authorize.php [1] uri also yields a 500 (instead of a 403 like | most of the other resources), which implies Apache is most likely | passing the request off to PHP and the script has a fatal or | unhandled error. | | The webroot appears to be a Drupal 7.x installation and Apache is | serving that content directly (e.g. | https://www.tesla.com/MAINTAINERS.txt same as [2]) and trying to | run some of it (authorize.php), while happy-path requests are | being reverse-proxied to a Drupal 9.x installation. | | [1] https://github.com/drupal/drupal/blob/7.x/authorize.php | | [2] https://github.com/drupal/drupal/blob/7.x/MAINTAINERS.txt | deathanatos wrote: | My knee-jerk reaction is that this looks like a marketing/eng | split, or even just marketing/marketing. The main "corp" | website of every org I've ever worked for is managed by | marketing, not by engineering, and it usually shows in the | quality. Usually drives someone in engineering (like me) | slightly crazy, but honestly there are a million other larger | fish driving me more crazy. | | IME they're almost always completely separated from the "real" | systems that engineers are working on / managing. A compromise | wouldn't go far, in the backend. Something like XSS would be | worse. | | Always seems to come from some push to "running a website isn't | our 'core focus' so we should vendor that" ... or something. | I've also encountered immense push-back on eng-managed corp | websites: all those pesky best practices get in the way of just | shoveling "content" (i.e., PR) out. And so it ends up separated | from eng. | ec109685 wrote: | They likely have layer 7 load balancing sending different paths | to different servers. | diamondo25 wrote: | Guess Elon should go and reduce some Tesla services like he | did with Twitter. Having different major versions of software | running must take up a lot of maintenance... | koonsolo wrote: | Maybe he should bring in some Twitter developers to review | the code at Tesla. | keyle wrote: | I usually don't engage in silly comments but this made me | belly laugh loud, ta. | hdjjhhvvhga wrote: | I believe this is the whole point of this submission. | [deleted] | frereubu wrote: | "Support migration from existing Drupal 7 to the new Drupal 9 | site" | | https://www.tesla.com/careers/search/job/sr-software-enginee... | justinjlynn wrote: | _polite chuckling_ | hackGAWDpremium wrote: | Drupalgeddon 7 exploit. Infinitesimal chance it's a vulnerable | version. Unless we live in a sitcom simulation | dhritzkiv wrote: | FWIW, a 500 doesn't imply the server is crashing. More likely | just throwing a generic error, e.g. unexpected input -probably | because it's expecting some form/data parameters- and failing | the request early. It'd more correct to return a 400 in this | case, but the /authorize.php endpoint may only be used by | tesla.com frontend, so they don't care if it's used in | unexpected ways. | anamexis wrote: | What's the distinction between the server crashing and the | server throwing an error? | dhritzkiv wrote: | Usually, a server throwing an error would mean that it is | aware there was an unexpected state, and is itself | consciously not fulfilling the request by returning a 500 | error, for example. It remains available to handle the next | incoming request. | | A server crashing implies that the server program or | process itself has terminated, and is not able to handle | further requests. This usually manifests as a 503 error by | an upstream proxy server (nginx/apache/CDN/etc.). | [deleted] | sam_lowry_ wrote: | bri3d wrote: | Not to defend the Twitter situation, which is foolhardy by almost | any measure, but it's extremely uncommon for any company's main | landing page to relate in any way to their software engineering | team. | | Usually these marketing sites are running a CMS (this one looks | like Drupal) which is owned and operated by either an internal | team who report to the CIO / IT department (vs the | Product/Engineering group) or a totally external third-party | marketing firm. | | As long as the "real" product uses different subdomains, | certificates, proper HSTS, cross-origin protection, and secure | cookies (a tall order, yes, but something that would be an issue | no matter what the marketing site is doing), security issues in | the "marketing" site aren't as bad. Of course a marketing site | takeover is still worrying, as it's a prime entry point for | spearphishing and horizontal movement through social engineering, | but these usually aren't the same engineers or security team at | all. | cmeacham98 wrote: | Nobody (sane) is saying this is a security vulnerability or the | like (especially as it seems to be a default Drupal gitignore). | It's just a funny mistake from a "software first" company. | shudza wrote: | So what is gonna be your opinion when it gets fixed? | cmeacham98 wrote: | "It used to be a funny mistake by Tesla but now it's | fixed"? | | What are you expecting here? | mlindner wrote: | There's several people in the comments saying exactly that | kind of thing in this thread including people asking if it | leads to vehicle code exploits. | cmeacham98 wrote: | I never claimed everybody on HN was sane /shrug | [deleted] | [deleted] | ackatz wrote: | Getting 403 Forbidden now | Hormold wrote: | Check this: https://cdn-design.tesla.com/tds-fonts/ | | Saved version: | | TypeError: Cannot read property '0' of null at | forceFontAssetSource | (/app/routes/middleware/moduleVersion.js:89:32) at | Layer.handle [as handle_request] | (/app/node_modules/@tesla/design-system- | tools/node_modules/express/lib/router/layer.js:95:5) at | trim_prefix (/app/node_modules/@tesla/design-system- | tools/node_modules/express/lib/router/index.js:317:13) at | /app/node_modules/@tesla/design-system- | tools/node_modules/express/lib/router/index.js:284:7 at | Function.process_params (/app/node_modules/@tesla/design-system- | tools/node_modules/express/lib/router/index.js:335:12) at | next (/app/node_modules/@tesla/design-system- | tools/node_modules/express/lib/router/index.js:275:10) at | cors (/app/node_modules/cors/lib/index.js:188:7) at | /app/node_modules/cors/lib/index.js:224:17 at | originCallback (/app/node_modules/cors/lib/index.js:214:15) | at /app/node_modules/cors/lib/index.js:219:13 | [deleted] | ericmcer wrote: | A companies marketing website and their actual products have | little in common. I would be surprised if any engineers even work | on the marketing website and blown away if it is co-located with | something sensitive. | behnamoh wrote: | Can someone explain why this is leaky and how it can be exploited | by malicious actors? | mlindner wrote: | It's not really leaky and can't be exploited by anyone. It's an | interesting curiosity at best. | bobthepanda wrote: | The gitignore explicitly called out where the sensitive | settings file is, so presumably that makes it a lot easier to | figure out where to start injecting bad code | Alupis wrote: | Sure, but this appears like some very standard directories | for popular website CMS platforms like Drupal. | | So, not very surprising and probably doesn't really tip | anyone towards anything particularly special. | m00x wrote: | It's probably caused by an incorrect nginx configuration, which | means other static files may be exposed. | | Otherwise, it's not much of a leak. | rvnx wrote: | This shows that the teams in charge of code deployment have | relatively weak quality control. | | In practice, it means that if the gitignore file is leaked, | that there is a substantial risk that they accidentally leak | the .git folder someday. | | The .git folder indirectly contains downloadable copies of the | source-code of the website, which could very likely lead to | credentials leak or compromised services. | | Your life can depend on Tesla.com services. | | Even if you are the pedestrian side. | extheat wrote: | What makes you think that there is some "substantial risk"? | You seem to be mixing together git repos and site deployment | rules. I don't see the big deal here with some CMS leftovers | being deployed, but yes from a perspective of correctness | this is not something that needs to be deployed. | drexlspivey wrote: | So basically everyone's life is at risk because the | .gitignore got leaked. That sounds reasonable. | bpodgursky wrote: | I'd be pretty surprised if the marketing / landing site was | remotely connected to the user portal. Most companies have a | marketing-friendly CMS for public content, disconnected from | the actual customer-facing portal. | rvnx wrote: | Tesla.com seems to be more than marketing, at least | customers can sign-in there to do cars operations,. | | If you can grab credentials from there you can do quite | some things already. | | See https://www.teslaapi.io/authentication/oauth (and this | is in the case you don't trick an employee). | | But I agree, that normally at some point they would catch | it. | mlindner wrote: | > This shows that the teams in charge of _website_ code | deployment have relatively weak quality control. | | FTFY. Little of Tesla's software is whatever they're using on | the website. That'd be like judging Apple OS software by | their website source. | rvnx wrote: | This is customer control panel, which directly leads to car | APIs behind that are using the same credentials. | | On the same domain there is also the Tesla SSO. | | It would be bad if this gets compromised as there would be | direct impact in the physical world, not just a static | landing somewhere. | anonym29 wrote: | It's leaky because it's globally accessible and provides | information that isn't otherwise readily apparent. | | There is no guarantee that an exposed .gitignore (or other | exposed files, like .htaccess, robots.txt, etc) will be | exploitable, but they aid in the discovery process and may help | adversaries uncover exploitable vulnerabilities they might have | otherwise missed. | | At the extreme, I've seen paths of backups of the production | database listed in a publicly readable .gitignore, and that | database backup was publicly accessible, too. | | Most of the time, nothing sensitive is revealed, but defense in | depth suggests it's better to not upload files like these to | your web server unless they're being used by the webserver | (like .htaccess) or crawlers (like robots.txt), and if you do, | they ought to not be publicly readable (unless intended, like | robots.txt), but even then, you'd want to make sure nothing | sensitive is in any file like that which is publicly readable. | Even if there's nothing sensitive in them now, there's no | guarantee that nothing sensitive will ever be added. | oceanplexian wrote: | I'm gonna give my counter take. Information disclosure is | something that the DevSecOps(tm) crowd spends a | disproportionate amount of time on for little benefit. The | number of security professionals who don't know how to code, | but learned Nessus or CrowdStrike and criticize others is too | damn high. | | I had to work with a security team in a FAANG for several | years. They were so high and mighty with their low sev | vulnerabilities, but they never improved security, and | refused to acknowledge recommendations from the engineers | working on systems that needed to be rearchitected due to a | fundamental problems with networking, security boundaries, | root of trust, etc. Unsurprisingly, their "automated scanner" | failed to catch something a SRE would have spotted in 5 | minutes, and the place got owned in a very public and | humiliating way. | | When I see things like this it brings back memories of that | security culture. Frankly I think Infosec is deeply broken | and gawking over a wild .gitignore is a perfect example of | that. | Fnoord wrote: | There's no need to minimize or explode this; We need to put | this into proportion. An information leak by itself is | nothing, but it must be reported and taken seriously (by | default, it should be fixed). | | I'm not disappointed this happens at tesla.com; I expect as | much. But to many people, this is a top-notch brand. You | don't expect this on google.com or nsa.gov or fbi.gov | either, do you? | acdha wrote: | I work in .gov so I have a lot of experience with that kind | of security "engineer" but I'd take a more moderate | position. This stuff is super-easy to resolve so you should | spend a couple of minutes closing it and then focus on more | complex things, with the reason being that when something | like log4j happens you aren't making it so easy for | attackers to know whether you're vulnerable - passively | telling them makes it easier to avoid things like WAF | blocking rules which will block IPs which actively prove. | anonym29 wrote: | I'm a professional red teamer at a FAANG company, for | reference. There are plenty of times where I find several | low severity vulnerabilities, none of which are exploitable | alone, but which can be chained together to produce a | functional exploit with real impact. | | There's no guarantee any of your testers will find every | issue, and there's no guarantee that a seemingly innocuous | finding can't have a greater impact than might readily be | apparent. | | That said, there are a ton of charlatans in security | exactly like you describe - folks who can't read code (let | alone write it) who just know how to click "scan" on their | GUI tools and export the report to a PDF. A lot orgs have a | QA-level team running those automated scans, which get | passed on to a penetration testing team, who have more | experience, but a limited time window for testing, and then | finally on to red teams, who, along with some appsec / | product security folks who are embedded directly on product | teams, tend to have the most expertise, and the most time | to really dive deeply into a service or application. | | Also, keep in mind that those gawking over this probably | aren't security folks, and the competent security folks | here may not be gawking at the file itself (or others) - | just taking part in the discussion. | shudza wrote: | It's not an arbitrary thing, and any kind of vulnerability | (including this one) is potentially a step in a chained | exploit. I wouldn't be suprised if we see a hack before | Tesla fixes this. And yes, they will fix it because it's a | security issue. | [deleted] | kadoban wrote: | It's a bit of an information leak, but probably not a | particularly serious one. It just gives some information about | what tech stack they're using, which isn't really public but | also not that hard to find out, and maybe a bit about where an | attacker would want to look for other sensitive stuff. Pretty | minor really, on its own. | | It is a bit embarrassing because most web servers (and | deployment setups) shouldn't be publishing/serving dot files | anyway (files with names beginning with dot). But it's not | necessarily a problem as long as they have some protection to | avoid the _really_ sensitive stuff leaking, it's just kind of | funny. | tomjakubowski wrote: | Interesting, the exclude file (actually, everything under | .git/info) 403s, while .git/index is a 404. | | - https://www.tesla.com/.git/info/exclude | | - https://www.tesla.com/.git/index | | README.txt 403s too. https://www.tesla.com/README.txt | | edit: just going to add files I've found here: | | - https://www.tesla.com/.editorconfig | | - https://www.tesla.com/profiles/README.txt | retrocryptid wrote: | _sigh_ | TechTechTech wrote: | https://cdn-design.tesla.com/.git/ this url says 'No.' | sschueller wrote: | At least https://www.tesla.com/.git/config is not accessible but | still. This should never happen to a company that considers | itself a software company first and a car company second. | tomjakubowski wrote: | One place I worked for exposed .git on a PHP site to the world. | Infra was ho-hum about the report until they got a PoC which | cloned the repo. | [deleted] | [deleted] | v0idzer0 wrote: | It's not leaky at all. | newbieuser wrote: | universal galactic extreme programming requires it | nr2x wrote: | Good thing these are the people who helped fire Twitter's | security team. Sure that's going to work out great. | [deleted] | [deleted] | revskill wrote: | So, should we just add .gitignore to .gitignore and problem | solved ? | agumonkey wrote: | the classic https://news.ycombinator.com/item?id=31420268 | | > Git ignores .gitignore with .gitignore in .gitignore | alvis wrote: | No. You never checkout a site directly from git to begin with. | You don't let other people know what files are ignored from git | doesn't mean people cannot access them. :/ | teknopaul wrote: | Nonsense. | | Everyone uses git for source control, of course you check out | a site with git. | | All you are telling people with a .gitingore is what is _not_ | available. | | It means exactly that people can not access them if your site | is a checkout, because they aren't there. | NateEag wrote: | Many of us have a build process that converts the contents | of a checkout into a deployable site (a.k.a. "build | artifact"). | | The build process can trivially skip .gitignore files (and | all other files that are strictly for dev environments). | | You then deploy the build artifact to production, with | exactly the set of files which ought to be there. | noselasd wrote: | There's cases where you don't need a build process for a | site. | manojlds wrote: | .gitignore to Dockerignore | | (Partly joking) | kadoban wrote: | You're joking of course, but that likely won't do anything | useful. | | If it's tracked, then ignore has no effect. If it's not | tracked, then you might as well use .git/info/excludes which is | pretty much the same thing but not tracked, or you can use a | global excludes file, like ~/.gitignore is common (you have to | configure git to point at it, iirc). | | It _could_ make sense to ignore the .gitignore if some other | tool is parsing and using that file, but that pattern | is...troublesome so I hope not. | vbezhenar wrote: | ~/.config/git/ignore | kadoban wrote: | Hm, did not know that had a default, thanks. | alvis wrote: | There is a `cron.php` lol | MH15 wrote: | behind auth as of 4pm ET though | sassy_quat wrote: | Hilariously most people are unable to program in a secure | fashion. https://www.zdnet.com/article/over-100000-github-repos- | have-... | | News about Tesla's security seems vaguely wanting, I do not know | what this .gitignore file is about, but it is quite alarming | enough to draw conclusions from. | athesyn wrote: | It's just their landing page, but still embarrassing nonetheless. | kalium-xyz wrote: | My dear American friends. What if this is a psyop from tesla | marketing to get your attention? | noncoml wrote: | "Never attribute to malice that which can be adequately | explained by stupidity" | paulryanrogers wrote: | Very well could be a honeypot. Though neglect and accretion is | more likely | dopeboy wrote: | Along with the acquisition of Twitter. | ashirviskas wrote: | So Tesla is free software: https://www.tesla.com/LICENSE.txt | [deleted] | hankchinaski wrote: | I like the simplicity and pragmatism of using drupal. I wouldn't | work with it myself but it was probably the cheapest/fastest way | to get a similar site up and running | soheil wrote: | > sites/ _/ settings_.php | | Yes PHP is still relevant! | dpcan wrote: | Yeah. WordPress, Drupal, Joomla, Laravel, vanilla php. Together | they power almost 45-50% of the web. So PHP is still extremely | relevant. The most relevant you might be able to say. | dergachev wrote: | Drupal | snapetom wrote: | There was a posting just this week on a job site for a "Sr. | Software Engineer, Backend Drupal" at Tesla. Putting together | pieces like a leaked .gitignore file, job postings, etc. is | social engineering in action. | [deleted] | viraptor wrote: | That's not social engineering. You're not convincing anyone | to do anything or share anything with you. This is OSINT. | [deleted] | arcturus17 wrote: | Does this not come as a surprise to anyone? | | I'd have figured that they would have rolled out their own | custom headless CMS or something really complex. I mean, not | that it doesn't make sense for them to use a bog-standard CMS | tool, but my biases (halo effect?) would have made me think | that they use something more more unique. | rabuse wrote: | Why over-engineer something that just doesn't bring much | value to their company? | ElijahLynn wrote: | Drupal is pretty powerful and there is a large talent pool | for it, so it can probably handle all their CMS needs just | fine. And that would be smart not to roll their own. | RobertWHurst wrote: | You all are cringe. Anyone working in tech knows that most | marketing sites are made by third parties, likely some WordPress | shop. The hatred for Elon on this site is ridiculous. | misiti3780 wrote: | it's very weird. someone responded once that hacker news is a | bunch of smart dorks that are basically jealous because they | have not achieved anywhere near as much as elon has. i think | there is some truth to this. | akomtu wrote: | elleven wrote: | https://www.tesla.com/LICENSE.txt Tesla opensource confirmed? | antman wrote: | I think this site's code repository needs to be reviewed. Maybe | should call some twitter engineers | [deleted] | alvis wrote: | One of the best technology companies (let's assume it's) cannot | maintain its site with modern technology. How can I trust them? | hutzlibu wrote: | I do not trust Tesla because of the apparent instability of its | owner, but not because its website does not use the most | bleeding edge web technology. The website works and I see no | information of any security flaws. This is what matters. | dingosity wrote: | The reason people think this is bad form is it indicates the site | operators did something they did not need to do. It is an | artifact of carelessness at best or misunderstanding of how their | web server software works at worst. You do not need to serve a | .gitignore file for a site to perform its basic function. But the | obverse is also true. Serving .gitignore does not detract from | the function of the site. | | But among people who do this kind of thing for a living, there's | a belief that every action you take (like copy a .gitignore file | to the directory from which static files are served) should have | an intent which can be traced to a specific requirement. | | It's crazy to believe some product manager sat down and put | "serve up a .gitignore file" in their PRD. Some people are | therefore taking the existence of the .gitignore file in Tesla's | public webspace to demonstrate a lack of care when it comes to | matching requirements with behaviour. | | But as people have pointed out, maybe this isn't a Tesla failing | as much as it is a failing for one of their providers. And sure, | on the list of failures, this is pretty minor. And if you can | find a web host that ties behaviour to explicit requirements, I | would _LOVE_ to hear about it. Web hosting is a low margin | business which doesn 't pay premiums for detail oriented staff. | To be sure, there are some AMAZING people working for web hosting | outfits, but my point is they are working at web hosting firms in | spite of their technical capabilities, not because of them. | | To say Tesla is a crap-fest because they left a .gitignore in | their public web-space is laughable. Tesla is a crap-fest because | their stock is in the toilet, they often blow past promised | delivery dates (cybertruck, anyone?) and are extracting cash from | the rubes who believe "full self driving" means your car will | drive itself in more than the most contrived of contexts. | | Elon Musk is not an idiot because you can read a .gitignore from | tesla.com. Having done business w/ Mr. Musk, I can assure you he | is not an idiot. But he's also did not impress me as the super- | genius many seem to make him out to be. He is not playing 4D | chess. He's a reasonably intelligent guy who won the lottery | (rich parents, older brother who cut him in for a percentage, met | the right people just as the USG wanted to buy more launch | capability and state and federal governments subsidizing electric | cars.) If anything, he's uncanny in his ability to identify | opportunity. Maybe that's even better than the Sili Valley execs | whose skills extend to being white, pretty and GSB educated. (If | you downvote me, please downvote me for the slight on the Haas | School this last comment was intended to be.) | | To recap... serving a .gitignore in your public web-space doesn't | mean you're a dolt. It also means you're probably taking less | care than you could. But maybe we don't need to take such care on | a static web-site. But it does make me wistful for the days when | competence was more obviously exhibited. | | Elon Musk is considered a jerk because of his behaviour, not | because someone in one of his companies left tesla.com/.gitignore | in the public web-space. Tesla is not god's gift to American | industry. It _is_ a bit of a goose up the backside of entrenched | incumbents, and for that I will always have a soft spot for it. | Except for the bits where they seem to be a lightning rod for | controversy which always seem to be unforced errors. | | Good Day To You, Sir! | retrocryptid wrote: | John Steven has a quote I quite like: "QA is making sure your | software does what it's supposed to. Security is making sure | your software _only_ does what it 's supposed to." | | I think this is the lens the OP wanted readers to view this | post through. | [deleted] | formerly_proven wrote: | jstx1 wrote: | Maybe the other way around - his ignore file has "Tesla" in it? | jamesy0ung wrote: | Getting a 403 Forbidden error. | jongjong wrote: | outside1234 wrote: | "Hardcore Engineering" | x86x87 wrote: | all the engineers that have not modified at least 50 lines in | the .gitignore file in the last 60 days have been not | terminated | rsynnott wrote: | I mean, in fairness, if you're not getting enough rest (which | seems to be what "hardcore engineering" means) then maybe | you're more likely to screw up the nginx config. | anonym29 wrote: | If you think .gitignore leaks too much info, you're going to love | https://www.tesla.com/robots.txt | AtNightWeCode wrote: | Wow, top score for uniqueness, in the field of being stupid... | jongjong wrote: | If that's all the dirt that thousands of vengeful fired Twitter | ex-employees could find, then Tesla must have excellent | security. | bakugo wrote: | Yeah this screams complete and utter desperation. Like, I get | that hating Elon is what all the cool kids at school are | doing this month but do we really need this immature garbage | on the front page of HN all day? | extheat wrote: | Yep, it seems like most of the posters here in this thread | don't do much software engineering from the looks of it. Or | are being purposely obtuse here. There is no security | vulnerability here in any of the links we've seen so far | minus some unnecessarily deployed boilerplate. The | gitignore file is not the same file your deployment tool | uses when publishing a website. If there's an API endpoint | that is public opposed to some static asset, that would be | a problem. Nothing we've seen here indicates that. | bfgoodrich wrote: | Hamuko wrote: | Well, I'd personally at least find some hilarity in being a | Twitter engineer fired by one of those 10x Tesla engineers | while they're publishing their .gitignore files via HTTPS | (which probably means that their Nginx configuration is | fucked). | [deleted] | jongjong wrote: | It's barely a vulnerability. Many open source projects have | theirs public. It might be a problem if the company's | system was terrible and relied on security through | obscurity; but maybe they don't care. The engineers who | think it's a big deal may have tunnel vision. That can | happen if you spend years in a very narrow area. | sofixa wrote: | It's standard practice not to serve any hidden files | (starting with .) over HTTP. The fact that .gitignore is | served can indicate they don't block .paths, so lots of | other things could slip through (.aws for instance). | naniwaduni wrote: | Is that a standard now? Who's going to tell the guys | using .well-known? | sofixa wrote: | It has always been standard, it was the #1 thing to do | when setting up Apache back when Apache was the standard | and nginx was still this obscure Russian porn web server. | | .well-known is much more recent and an exception. Can you | think of any other .file or .folder which is wise to be | exposed publicly? | prepend wrote: | This is not an issue and just means that their wwwroot | probably comes from a repo. Anyone who judges an engineer | who made this decision poorly is silly. | | I'd say it's closer to good thing than bad thing due to | simplicity. | soneil wrote: | The start/stop at the bottom makes that look like it's come | canned with a CMS and they've just tacked on what they needed | to. It's 90% boilerplate. | Neil44 wrote: | And the bumph at the top - crawlers run by Yahoo! and Google | - lol | judge2020 wrote: | It's the default drupal robots.txt it seems. | https://api.drupal.org/api/drupal/robots.txt/5.x | chx wrote: | It's hardly a secret tesla.com is Drupal -- both that | gitignore and the robots.txt shouts it quite loudly, to be | fair. One of the larger Drupal agencies, Lullabot includes | them in their clients list: https://www.lullabot.com/our-work | and they are looking for a sr backend Drupal engineer | https://www.tesla.com/careers/search/job/sr-software- | enginee... which I would take if the company were not lead by | Musk. | ughitsaaron wrote: | More to that point, see | https://www.tesla.com/MAINTAINERS.txt | ughitsaaron wrote: | You can compare it to the current version of the same | file in the most recent Drupal release https://github.com | /drupal/drupal/blob/9.5.x/core/MAINTAINERS... | stefan_ wrote: | Is this a normal Drupal practice? You just deploy the Git | repo? | extheat wrote: | Do you deploy confidential information into the repo ? | That would be the root problem. | mynameisvlad wrote: | Things don't have to be confidential to be an issue. | Leaking the actual maintainer's names (as opposed to the | Drupal list), for instance, would not necessarily be | considered confidential, but still an issue if it showed | up. | chrismeller wrote: | I think, generally speaking, it's a PHP standard practice | and more broadly a scripting language practice, though it | doesn't really apply to Node. | | No pre-compiling is required, so you just ship the files. | Especially true for anything that offers an Apache module | (like mod_php). | remram wrote: | Ship the files sure, ship the top-level folder not | really. Most sites will have a "public" subfolder or | equivalent, so the READMEs, scripts, sources etc don't | get served. Either way, a professional would remove those | files or block them at the HTTP server level. | chrismeller wrote: | Ehhh, I don't know if I agree that most will have | anything. | capableweb wrote: | Not to mention a lot of the subsequent requests when | loading https://www.tesla.com/ contains the HTTP | header+value "x-generator: Drupal 9 | (https://www.drupal.org)" | | So yeah, not exactly a secret. | andirk wrote: | And for the lay man: https://builtwith.com/tesla.com . | | Haven't seen Drupal in the wild for years. Good on them! | [deleted] | capableweb wrote: | Probably you have, lots of websites still using Drupal, | heavily customised of course. Search for "websites made | with Drupal" and have your jaw dropped, as probably a | website or two you visited recently will show up :) | marginalia_nu wrote: | Did an inventory based on my crawler data a while back. | | Relatively common to find sensitive or embarassing links | singled out in robots.txt | | Especially in old large organizations, like universities. | m00x wrote: | Really doesn't leak much, and robot.txt is supposed to be | accessible from the internet. | anonym29 wrote: | Yes, it's meant to be public, but you need not disclose all | of what is contained inside of it. I've been on many pentests | where paths provided by robots.txt, that I wouldn't have | obtained any other way, led to exploitable vulnerabilities. | | For some reason, a considerable number of people don't seem | to think twice about adding sensitive paths to robots. | teknopaul wrote: | Not the case here tho is it | anonym29 wrote: | Well, we don't really know. Maybe there's some easy-to- | guess text file in /misc/ that contains a password for | something. We don't know what we don't know. We do know | that there's considerably more information exposed here | than zero - the question is whether any of that | information could lead to sensitive information, not | whether or not it constitutes sensitive information by | itself. | belltaco wrote: | How does someone on pentests not know it's the default | robots.txt that comes with Drupal and hence does not leak | anything except that it's Drupal? | anonym29 wrote: | Comparing it to Drupal's default robots.txt | slim wrote: | that's defense in depth, right ? /s | | also sometimes what's in robots.txt becomes invisible to | the corporation as well and abviously bugs creep in | cuteboy19 wrote: | I would rather that the paths be secure themselves. | Security by obscurity is not a good idea. Anyways there are | not that combinations of paths even when you consider all | the different cms defaults | anonym29 wrote: | You're correct that the resources themselves should be | secured and that security through obscurity is a bad | practice (and an oxymoron, as obscurity doesn't actually | provide security). | | That said, avoiding security through obscurity doesn't | preclude you from giving away less information than is | being given away here, nor does it make the act of | removing that information entirely pointless. While this | isn't the only way that the Drupal version can be | identified, it is one, and there's no guarantee your | adversary will find it via other avenues. Also keep in | mind that with absolutely nothing changing on Tesla's | end, this may go from secure to vulnerable, should, for | instance, a remotely exploitable vulnerability in the | running version of Drupal be discovered and published in | the future. | [deleted] | AtNightWeCode wrote: | LOL, why, just wow. | threatripper wrote: | This looks like a default file from a Drupal installation: | https://api.drupal.org/api/drupal/robots.txt/7.x | slaymaker1907 wrote: | Apparently Tesla is FOSS, see https://www.Tesla.com. | Ptchd wrote: | Where can I get the FSD (Fake Self Driving) source code? | anonym29 wrote: | edited to hide my horrific lack of HN text formatting | skills | abdusco wrote: | you forgot to from autopilot import * | [deleted] | ChrisClark wrote: | What makes it fake? Just today my car drove me from my | house to the grocery store with no intervention. | mynameisvlad wrote: | Cool, meanwhile my car feels like it's an unstable | toddler whenever FSD has to turn. It feels like if I | don't intervene, I'll crash. | | It's _far_ from "full" self driving. | Ptchd wrote: | Is that a route that you do often and it happened to have | no unpredictable events today? | 1attice wrote: | A leaked .gitignore means the company needs to be taken over, 75% | of its workers fired, and its debt tripled. | | I want everyone to work extremely hardcore on a breakthrough | Tesla 2.0 | jerkstate wrote: | if only someone would offer to take it private for 3x its | value! | sylware wrote: | you forgot 1 figure: 30x | eastbound wrote: | I wonder whether he's just taking revenge upon the employees | for mocking him buying it for 3x its revenue. "SEC wants me | to buy it whole because I have 9%? Employees and board are | happy to force my hand? Ok." | | Being suicidal and ready to lose everything to make a point, | is probably another facet of the same character trait. | ignoramous wrote: | Time for a TeslaDAO. The cryptonomics are in the favour of us | plebs, and I reckon we'd meme up a100z billions in no time. | [deleted] | edgyquant wrote: | This is not Reddit, please don't treat it as such | DoctorOW wrote: | I think it's okay to criticize a company on Hacker News even | if the leadership is particularly popular here. | rvnx wrote: | [deleted] | nr2x wrote: | yes, but *which* verification? original flavor? scammer's | friend? or simp badge? | rvnx wrote: | 80 USD / month to verify that you have a bank card with | active money. | | 2500 USD / month to verify your organisation existence. | | Verified users can be added to an organisation and get a | special organisation-badge. | | Also, everybody should have the right to pay: | | Communists and anti-capitalists are going to be unbanned | from Hacker News. | | Vox Populi, Vox Dei. | nr2x wrote: | Use the full quote. | | Nec audiendi qui solent dicere, Vox populi, vox Dei, quum | tumultuositas vulgi semper insaniae proxima sit. | | And those people should not be listened to who keep | saying the voice of the people is the voice of God, since | the riotousness of the crowd is always very close to | madness. | Zigurd wrote: | We seem to have bottomed-out reply depth, but, to answer | if there are other examples, the commonly misquoted "the | proof is in the pudding" is the opposite of the correct | one: "The proof _of_ the pudding is _in the eating._ " | nr2x wrote: | My favorite "a few bad apples" is not a problem, which | leaves out the second half: "ruin the bunch". | | Especially when applied to police - the fact that the | "boys in blue" turn a blind eye to the bad apples is what | ruins the bunch. It's unintentionally accurate. | ben_w wrote: | Huh. Is there a name for when a widely quoted sentence | fragment is used for the rhetorical opposite of the full | original sentence? I feel like I've seen this happen | before, but I can't place where. | | (Also, my favourite Latin to quote at anyone who quotes | Latin: quin tu istanc orationem hinc veterem atque | antiquam amoves?) | rsynnott wrote: | I'm almost certain that TVTropes has a trope for the more | general case of quote use without considering the | context, but I can't find it now. | | My favourite is "neither a lender nor a borrower be", | which gets trotted out as sage advice. It's a quote from | Polonius in Hamlet, who is depicted as being an idiot. | denton-scratch wrote: | That full quote seems remarkably apposite, in the Twitter | context. The fragment Musk quoted seems to mean the | opposite, taken in isolation. | nr2x wrote: | It's almost as if he's a world-class grifter who | continually lies and whose entire net worth is predicated | on keeping up an illusion of his own competence. The dude | doesn't even have a physics degree, it's pure bullshit. | pvg wrote: | Criticizing is fine, musty tropes less so. | 1attice wrote: | *musky, but ok | fortyseven wrote: | Relax, Francis. | preommr wrote: | Agreed, what would HN be without it's pretension at being | above plebs and their "humour". | kulahan wrote: | I come here to get away from the Reddit crowd. The last | thing I want to see is for this site to turn into... _that_ | dumpster fire. It 's not about being above anyone, it's | about setting a tone for a community. | nr2x wrote: | not edgy enough for you? | fnordpiglet wrote: | It's ok. Elon code reviewed it. | kobalsky wrote: | this isn't reddit ___________________________________________________________________ (page generated 2022-11-25 23:00 UTC)