Probably not a good idea to keep your profiler open to the world as long as you ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		severb on June 7, 2014 \| parent \| context \| favorite \| on: Show HN: Silk, a profiling tool for Django Probably not a good idea to keep your profiler open to the world as long as you allow reading from arbitrary files. After a bit of fiddling around I was able to read your secret key from the settings file. It starts with 'es!b3'. And your soundcloud password. Sorry.

mtford on June 7, 2014 [–]

Nice... I did make an attempt to filter out sensitive stuff but clearly did a bad job. Thanks for letting me know. I will eventually introduce a demo app rather than my own site.

severb on June 7, 2014 | [–]

I've sent you an email with the precise steps to reproduce it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact