This wasn't even a prompt-injection or context-poisoning attack. The vulnerable infrastructure itself exposed everything to hack into the valuable parts of the company:
Public JS asset
→ discover backend URL
→ Unauthenticated GET request triggers debug error page
→ Environment variables expose admin credentials
→ access Admin panel
→ see live OAuth tokens
→ Query Microsoft Graph
→ Access Millions of user profiles
Hasty AI deployments amplify a familiar pattern: Speed pressure from management keeps the focus on the AI model's capabilities, leaving surrounding infrastructure as an afterthought — and security thinking concentrated where attention is, rather than where exposure is.
I'm not that long here, but if it's not feasible to automatically detect the slopper-sites, maybe a rule could be introduced that people can report on?
This way the mod has an easier time identifying the things that are unwanted by the community.
I love grafana, but it's a resource hog, and my machine isn't powerful.
Prometheus/node_exporter however is as lightweight as it can get.
So I made a little Python script that fetches the data from Prometheus and uses mathplotlib to generate a graph.
The dashboard calls that python script for every configured graph and embeds the image so it looks nice.
You can find the script in one of my other repos (Prometheus-renderer probably), but there are dozen similar ones: search github for Prometheus renderer and you'll see
If there are other things unclear, please don't hesitate to ask
--no-tooltips param: Don't include check output for hover tooltips
--no-timestamp param: Omit the "Generated at" timestamp to hide system clock and monitoring cadence.
If you're using these, I feel much better about making the html publicly accessible, but when you set up a config please remember that links-tags can expose your internal topology and the tile/slot name might do the same! Don't go naming your tiles something like "Database Primary", "Payment Service Worker", or "Internal Auth API"!
Well, Ilias can certainly fill this niche. With a caveat:
Currently all output from checks are accessible as tooltips (so they're in the HTML source), but for usecases such as yours it might be helpful to have the ability to suppress that kind of information leakage.
I think I'll implement that in the coming days ...
Yes, I'm aware of that, but I always found it weird to have a live service for something that hardly ever changes. And then I had the idea of this whole "fully self contained html", and now I can't imagine it another way 😆
That's just opinions though, and if Homepage strikes your fancy go for it - it's an awesome project.
Please don't immediately start public facing however - I literally just bashed the thing together in an afternoon, so who knows what kind of exploitable information leaks it might bring!
I'm personally using it from within a tailnet, so not public facing.
Edit:I have since added:
--no-tooltips param: Don't include check output for hover tooltips
--no-timestamp param: Omit the "Generated at" timestamp to hide system clock and monitoring cadence.
If you're using these, I feel much better about making the html publicly accessible, but when you set up a config please remember that link-tags can expose your internal topology and the tile/slot name might do the same! Don't go naming your tiles something like "Database Primary", "Payment Service Worker", or "Internal Auth API"!
While I'm more of a KDE person myself, it's always nice to see a popular FLOSS desktop going strong - kudos to the gnome team!
Here's a written version in case you don't feel like watching a video: https://release.gnome.org//50/