WingNews logo WingNews
top | item 38944146

Resend Security Incident

33 points| jaz | 2 years ago |resend.com

10 comments

order

scottydelta|2 years ago

As an early user of resend, found it to be easy to use than all the other providers but now I have lost confidence in resend(our clients' emails being hacked is a deal breaker) and will be deactivating multiple paid resend accounts and move to other big players. The root cause of this incident is so noobish. It's hard to believe that bad actors were even able to access the production dB directly even if the credentials were leaked. Production dB should never be accessible to anyone other than the app accessing it.

goenning|2 years ago

They probably use serverless database where VPC is an enterprise feature

sikan_|2 years ago

Database credentials in the dashboard..? How?

laborcontract|2 years ago

Like my sibling said, probably as a next_public environmental variable.

They probably were doing fetch requests for the dashboard client side. I wonder if they had the entire db url stored as a next_public_db_url. If that’s really irresponsible, and pretty easy to catch in development, at least for the pages router stuff. Maybe a little less so obvious for ssr pages.

I haven’t tried a lot of the new app_router, maybe there’s a lot more mixing of client and server side stuff there. Regardless, you should be auditing your environmental variables!

dimfeld|2 years ago

I have no inside info, but it sounds like the key was inadvertently bundled into the client-side code. This could happen when using web frameworks that do both client-side and server-side rendering, if one of your client-side files imports something from a file that is supposed to be server-only, and contains the API key environment variable.

Some frameworks automatically detect this and fail to build if you do it, but apparently not all of them.

josevalerio|2 years ago

Probably all the new NextJS / Server Components stuff - mixing and matching server & client code in the same file. Or the classic NEXT_PUBLIC_ env var

sgarman|2 years ago

They say so much in their article but never dive into how this happened, seems like the most important part? User error? Configuration error?

sikan_|2 years ago

RSC seems like a massive foot gun - given that you can accidentally bundle anything from the server.

h1fra|2 years ago

Maybe it was a Supabase or Firebase credentials ?