undefined | Better HN

0 pointsforgotusername63y ago0 comments

I imagine looking for vulnerable areas of the code might be something people would be interested in doing. Maybe start with login or billing or something. You could also look at recent activity to spot new, unannounced projects. You could use blame to find who wrote what and target them for anything from job offers to social engineering attacks.

0 comments

3 comments · 2 top-level

ameliaquining3y ago· 1 in thread

Most of that information is readily available on the corporate intranet without having to dig through source code.

Security-by-obscurity isn't something to rely on (again, except in the case of things like abuse detection where there's no alternative).

forgotusername6OP3y ago

You aren't necessarily looking for things that would be defined as security by obscurity. You're looking for bugs with a security implication. With the source code, you can look for these bugs without arousing suspicion.

saagarjha3y ago

People can find vulnerabilities without the code too.

j / k navigate · click thread line to collapse