HN Reader

How is a company like mintlify getting so many big name customers for what appears to be a static site generator + hosting? Is there some secret sauce I'm missing, what is the value proposition?

Related:

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

https://news.ycombinator.com/item?id=46317098

wow it felt like they were playing around lol

> alongside, we can poison the nextjs cache for everyone for any site,

What??

Wow this is interesting, however, the reward seems way too less to me.

$5k is such a small payout for this sort of finding.

This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow gets big name customers who don't properly vet the security of the platform, ship a massive vulnerability that could pwn millions of users and the person who reports the vulnerability gets...$5k.

If I recall last week Mintlify wrote a blog post showcasing their impressive(ly complicated) caching architecture. Pretending like they were doing real engineering, when it turns out nobody there seems to know what they're doing, but they've managed to convince some big names to use them.

Man, it's like everything I hate about modern tech. Good job Eva for finding this one. Starting to think that every AI startup or company that is heavily using gen-ai for coding is probably extremely vulnerable to the simplest of attacks. Might be a way to make some extra spending money lol.

See also https://news.ycombinator.com/item?id=46317098

isn't this actually XSRF and worse than XSS?

Also, if users can run arbitrary JS on someone else's server then what stops them from doing CPU-bound work such as crypto miners?