In late June, a notable incident was uncovered by a security expert involving a web application utilized by a16z, a prominent Silicon Valley venture capital entity. This flaw revealed certain details about the enterprises a16z has funded. The issue has been addressed.
On the last day of June, a security expert known online as xyzeva shared via X her desire to get in contact with someone from a16z, suggesting she stumbled upon a security flaw.
“Reach out immediately. It’s serious. And security-related,” she advised.
In a dialog with TechCrunch, xyzeva revealed the discovery of a “very straightforward bug” which essentially provided “access to everything” within a16z’s portfolio web platform. More precisely, she identified that API keys were openly accessible on portfolio.a16z.com. According to xyzeva, the exposed data she encountered encompassed: email addresses, passwords, “details about companies and their staff.” Moreover, she mentioned the capability to impersonate a16z by sending emails and accessing previous correspondences through Mailgun, an email dispatch service.
Bryan Green, a16z’s Chief Information Security Officer, confirmed to TechCrunch that the flaw was rectified on the same day xyzeva reached out regarding her post but clarified that the flaw did not involve any sensitive information.
“a16z promptly remedied a misconfiguration in one of our web applications, specifically used for editing publicly visible information on our site, such as company insignias and social media details, on June 30th. The problem was swiftly resolved without any compromise of delicate data,” Green remarked. “We are dedicated to engaging with the security community through ethical disclosure and will persist in this endeavor via responsible practices.”
TechCrunch was privy to a text exchange where xyzeva inquired about a bug bounty program—a reward mechanism for security discoveries. An a16z staffer informed her that such a program wasn’t available, but they were willing to consider arranging something unique for her case once the analysis was concluded.
Nevertheless, the a16z representative later conveyed regretfully to xyzezia that challenges obstructed this, as seen in another text conversation reported by TechCrunch.
“Initially, the method of disclosure posed a problem. Announcing a severe issue publicly before it was addressed exposed us to potential attackers, amplifying our risk unnecessarily and deviating from standard vulnerability disclosure practices,” the employee explained. “Secondly, the subsequent announcement claiming ‘full access to virtually everything,’ along with a promise for a detailed report, didn’t convey the best intentions to our team. If there’s any misunderstanding on this, please correct me.”
It is a common practice amongst security researchers to reveal their findings once the vulnerability has been rectified and poses no further risk.
As per the latest information, the web portal where xyzeva discovered the flaw is currently offline, with a notice stating, “This application is being deprecated,” as per the website message.
Throughout its history, a16z has made investments in several prominent companies like Airbnb, Coinbase, Instacart, Lyft, and Slack, among others. Recently, the firm’s founding members Marc Andreesen and Ben Horowitz have publicly supported Donald Trump in the upcoming presidential election.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
