Hacking YC (again)
Philip I. Thomas
I like seeing how things work. Digitally, that often means keeping the network tab open to watch how websites talk to servers. Sometimes, I find mistakes.
Last month, while browsing Y Combinator’s software, I noticed my browser was loading data it shouldn’t have. An API call exposed an investor-only feed with confidential information about YC startups. I checked and confirmed that others had access to it as well.
I reported the issue to the YC security team, who quickly fixed the authorization bug.
This was the third vulnerability I’ve found in YC’s software. The previous two are listed on their security page, though the new one isn’t credited there[1]. But, for the first time, they sent me a bounty: $500.
None of the three issues I reported were technically advanced. They only required curiosity and noticing when something looked out of place. This also highlights the importance (and difficulty) of building robust authorization logic into applications.
- I asked YC about credit on the security page, and they didn't respond. It's possible they no longer give public credit. ↩︎
Get new essays by email.
Keep reading
The joys of self-hosting
When I checked my phone this morning, the first notification was that my home server "Toolbox" was down. Everything on it was offline - Postcard, Booklet, this blog, and more. I pulled out my laptop, ...
One year of dependable software
Today I'm introducing a new part of Contraption Company: Essays covering thoughts and opinions on online work, dependability, tools, and craft. My name is Philip, and I'm the founder and owner of Cont...
Postcard is now open source
Self-host a personal website + newsletter