In late June, a safety researcher found a vulnerability in an online software used a16zone among Silicon Valley’s strongest and influential enterprise capital companies, which disclosed some particulars concerning the agency’s portfolio corporations. The error has since been corrected.
On June 30, a safety researcher often known as xyzeva wrote on X that she was on the lookout for somebody from a16z to contact, hinting that she had found a safety difficulty.
“Contact me now. That is dangerous. It is a safety difficulty,” she wrote.
When contacted by TechCrunch, xyzeva mentioned she discovered a “actually easy bug” that “mainly gave entry to the whole lot” on the a16z portfolio portal. Particularly, she mentioned she discovered public API keys on the portfolio.a16z.com web site. xyzeva mentioned the knowledge she was capable of see included electronic mail addresses, passwords, and “firm and worker knowledge.” Moreover, she added, she was capable of ship emails as a16z and entry beforehand despatched emails from the corporate account utilizing Mailgun, an electronic mail supply service.
In a press release to TechCrunch, Brian Greene, chief info safety officer at a16z, confirmed that the corporate had fastened the bug the identical day xyzeva wrote the submit and contacted the corporate, however mentioned the problem didn’t have an effect on any delicate knowledge.
“On June 30, a16z fastened a misconfiguration in an online software that’s used for a selected use case of updating publicly accessible info on our web site, resembling firm logos and social media profiles. The problem was resolved shortly and no delicate knowledge was compromised,” Inexperienced mentioned. “We stay dedicated to collaborating with the safety group on moral disclosures and can proceed to take action in accountable methods.”
In a textual content change seen by TechCrunch during which xyzeva requested a few bug bounty program — a means for safety researchers to earn a reward for his or her findings — an organization worker advised her the agency didn’t provide one. “Nevertheless, after we full the evaluation, I might be pleased to attempt to set one thing up particularly for you in that case,” the worker mentioned.
Nevertheless, a couple of days later, the worker advised xyzeva that “sadly there are a couple of obstacles,” in response to one other electronic mail seen by TechCrunch.
“First, there’s the strategy of disclosure. Publicly saying that there was a critical difficulty meant that potential attackers would seemingly scan our websites for the problem, which unnecessarily elevated the danger to us and went past the norm of vulnerability disclosure,” the worker mentioned. “Second, the follow-up submit, which incorrectly described ‘full entry to nearly the whole lot’ and promised to put in writing a report, didn’t sign the very best intentions for the staff. If any of this was misunderstood, please let me know.”
Safety researchers usually launch their findings as soon as a vulnerability or difficulty has been fastened and now not poses a danger.
On the time of writing, the portal the place xyzeva discovered the issue is unavailable. “This app is outdated,” Learn message On-line.
Through the years, a16z has invested in a number of well-known corporations resembling Airbnb, Coinbase, Instacart, Lyft, and Slack. amongst many othersThe agency’s founders, Marc Andreesen and Ben Horowitz, just lately introduced that They assist Donald Trump within the upcoming presidential election.