azzouzana
azzouzana3w ago

⚠️ Guys let's centralize this Apify

⚠️ Guys let's centralize this Apify source code leak discussions in a single thread please 🙏
6 Replies
azzouzana
azzouzanaOP3w ago
@AmmarSalmiDz @xMiso @aciku
sensitive-blue
sensitive-blue3w ago
Source codes at the users most valuable data on the platform. You would think they will take extra measures to make sure none is getting any without proper authentication. But blackhats can find vuln in almost everything
ellativity
ellativity3w ago
Hey @azzouzana @AmmarSalmiDz @xMiso @aciku I wanted to jump in here with you all. We identified potential vulnerabilities before we saw any evidence of them being exploited. One of our values is to be transparent, which is why we sent the notification to relevant developers, but we still don't have any reason to believe that any Actors have been exploited. If you believe otherwise then please reach out to me by DM. If you want to know which specific Actors of yours were affected then DM me and I'll get that info for you 🫶
azzouzana
azzouzanaOP3w ago
I did a manual check of mine, 10 of my public actors have old version of source code hosted on Apify. (This is assuming that this vulnerability exposes the source code tab content or something like that) Two of them are very sophisticated actors. But what's concerning is that I've got an external API key in there 🤦‍♂️ (Which I use in more than 50+ others places; on/off Apify so it's not easy to update.. (Partially my fault, these go back to the days when I was still exploring the platform..) Thanks @Ella I'll try to set-up some threshold on the API key usage until I rotate it. Could you please confirm that you log access to that private endpoint and there was no surge in traffic?
sensitive-blue
sensitive-blue3w ago
From this day forward, all my private Apify code will live… on GitHub. If someone’s gonna leak it, it might as well be me Coming from a bug bounty background the temptation to test the platform was real.. fun fact I stumbled onto Apify while looking for a free server to schedule scans poked around a certain endpoint… and somehow ended up writing Actors instead. Life’s weird like that.
ellativity
ellativity3w ago
@azzouzana Can confirm that this endpoint has seen nothing but normal traffic (which is not high as it is)

Did you find this page helpful?