I got hacked and now I'm behind | Build in public E178

This is going to be kind of an This is going to be kind of an This is going to be kind of an embarrassing video today. I super got embarrassing video today. I super got embarrassing video today. I super got hacked this weekend and it’s pretty hacked this weekend and it’s pretty hacked this weekend and it’s pretty embarrassing. It’s really upsetting embarrassing. It’s really upsetting embarrassing. It’s really upsetting because I, you know, try to take uh because I, you know, try to take uh because I, you know, try to take uh security really seriously. Um, I’ve, if security really seriously. Um, I’ve, if security really seriously. Um, I’ve, if you’ve watched my other videos, I’ve you’ve watched my other videos, I’ve you’ve watched my other videos, I’ve gone into depth about like how I try gone into depth about like how I try gone into depth about like how I try really really hard to take uh security really really hard to take uh security really really hard to take uh security serious. Um, and take, you know, try try serious. Um, and take, you know, try try serious. Um, and take, you know, try try to do smart things as as smart as you to do smart things as as smart as you to do smart things as as smart as you can, but I [  ] up and I got hacked. can, but I [  ] up and I got hacked. can, but I [  ] up and I got hacked. Um, this was a pretty nasty one that got Um, this was a pretty nasty one that got Um, this was a pretty nasty one that got h got a lot of people. Let’s dig into h got a lot of people. Let’s dig into h got a lot of people. Let’s dig into it. So, first, my random story for it. So, first, my random story for it. So, first, my random story for today. This will be a quick one and it today. This will be a quick one and it today. This will be a quick one and it ties directly into what I’m going to ties directly into what I’m going to ties directly into what I’m going to talk about. There was the really nasty talk about. There was the really nasty talk about. There was the really nasty bug in Nex.js. So Nex.js is uh a bug in Nex.js. So Nex.js is uh a bug in Nex.js. So Nex.js is uh a framework that Verscell Verscell is a is framework that Verscell Verscell is a is framework that Verscell Verscell is a is a hosting platform if you’re not a hosting platform if you’re not a hosting platform if you’re not familiar that does they build Nex.js familiar that does they build Nex.js familiar that does they build Nex.js really really really easily let you really really really easily let you really really really easily let you deploy and host it on Versell. I’m going deploy and host it on Versell. I’m going deploy and host it on Versell. I’m going to be really transparent. I do not like to be really transparent. I do not like to be really transparent. I do not like Nex.js for a number of technical Nex.js for a number of technical Nex.js for a number of technical reasons. I don’t really love the the the reasons. I don’t really love the the the reasons. I don’t really love the the the the framework. I think it’s been really the framework. I think it’s been really the framework. I think it’s been really bastardized just to fit Verscell’s bastardized just to fit Verscell’s bastardized just to fit Verscell’s needs. I don’t really like Versel. I needs. I don’t really like Versel. I needs. I don’t really like Versel. I think it’s kind of a waste of money to think it’s kind of a waste of money to think it’s kind of a waste of money to be completely blunt. Uh I I prefer to be completely blunt. Uh I I prefer to be completely blunt. Uh I I prefer to self-host. I want to self-host. I want to self-host. I want to use as much open- source tooling, use as much open- source tooling, use as much open- source tooling, self-host, be independent, not have huge self-host, be independent, not have huge self-host, be independent, not have huge cloud uh bills for the websites and cloud uh bills for the websites and cloud uh bills for the websites and projects I’m building. And interesting projects I’m building. And interesting projects I’m building. And interesting enough like enough like enough like next and especially Verscell got a lot next and especially Verscell got a lot next and especially Verscell got a lot of [  ] for this bug. So what is this of [  ] for this bug. So what is this of [  ] for this bug. So what is this bug? This bug did not this was not a bug? This bug did not this was not a bug? This bug did not this was not a Nex.js bug. This came from like core Nex.js bug. This came from like core Nex.js bug. This came from like core react. So React is the very popular react. So React is the very popular react. So React is the very popular library that powers the web has really library that powers the web has really library that powers the web has really taken over the web in the last decade taken over the web in the last decade taken over the web in the last decade from meta or Facebook originally and it from meta or Facebook originally and it from meta or Facebook originally and it is uh the de facto way like people do is uh the de facto way like people do is uh the de facto way like people do front-end apps like like so much of the front-end apps like like so much of the front-end apps like like so much of the industry uses react. I’ve used React for industry uses react. I’ve used React for industry uses react. I’ve used React for years. They have moved to a new years. They have moved to a new years. They have moved to a new architecture called uh server components architecture called uh server components architecture called uh server components where part of the app is rendered on the where part of the app is rendered on the where part of the app is rendered on the back end. It ships a very minimal chunk back end. It ships a very minimal chunk back end. It ships a very minimal chunk to the front end, so your browser and to the front end, so your browser and to the front end, so your browser and then it fetches on the front end and and then it fetches on the front end and and then it fetches on the front end and and loads in the details essentially. Like loads in the details essentially. Like loads in the details essentially. Like I’m really oversimplifying. So the I’m really oversimplifying. So the I’m really oversimplifying. So the problem was with that architecture, uh problem was with that architecture, uh problem was with that architecture, uh it’s kind of been a shell security-wise. it’s kind of been a shell security-wise. it’s kind of been a shell security-wise. Uh there’s been bugs. there’s a lot of Uh there’s been bugs. there’s a lot of Uh there’s been bugs. there’s a lot of um um um lack of like knowledge how things are lack of like knowledge how things are lack of like knowledge how things are working internally because there’s so working internally because there’s so working internally because there’s so many abstractions like with Nex.js many abstractions like with Nex.js many abstractions like with Nex.js that’s kind of one of my core complaints that’s kind of one of my core complaints that’s kind of one of my core complaints with Nex.js JS is they abstract away so with Nex.js JS is they abstract away so with Nex.js JS is they abstract away so much. It’s like a black box. You just much. It’s like a black box. You just much. It’s like a black box. You just don’t really know what’s going on. You don’t really know what’s going on. You don’t really know what’s going on. You just know how to use the tooling. So, it just know how to use the tooling. So, it just know how to use the tooling. So, it was actually React on the server piece. was actually React on the server piece. was actually React on the server piece. There was a really super serious bug. There was a really super serious bug. There was a really super serious bug. This is as high of a critical bug as you This is as high of a critical bug as you This is as high of a critical bug as you can get. It’s it’s a basically a 10 10 can get. It’s it’s a basically a 10 10 can get. It’s it’s a basically a 10 10 out of 10. Very serious. Why? because uh out of 10. Very serious. Why? because uh out of 10. Very serious. Why? because uh you can long story short with the you can long story short with the you can long story short with the exploit people made a tool where you exploit people made a tool where you exploit people made a tool where you make one call to an API point. So so you make one call to an API point. So so you make one call to an API point. So so you scan the internet you find an XJS app scan the internet you find an XJS app scan the internet you find an XJS app you make one call and you can inject and you make one call and you can inject and you make one call and you can inject and run code on the server. This is how I run code on the server. This is how I run code on the server. This is how I got owned. They did that to me. I saw got owned. They did that to me. I saw got owned. They did that to me. I saw that this how I so I learned about this that this how I so I learned about this that this how I so I learned about this pretty quickly. I quickly patched all of pretty quickly. I quickly patched all of pretty quickly. I quickly patched all of my projects, but I forgot to patch one. my projects, but I forgot to patch one. my projects, but I forgot to patch one. I thought one was okay. Was in a hurry. I thought one was okay. Was in a hurry. I thought one was okay. Was in a hurry. I had a bunch of stuff going on and I I had a bunch of stuff going on and I I had a bunch of stuff going on and I didn’t patch one Nex.js project. They a didn’t patch one Nex.js project. They a didn’t patch one Nex.js project. They a scanner came and and and like put a scanner came and and and like put a scanner came and and and like put a crypto miner on the on the server and crypto miner on the on the server and crypto miner on the on the server and just completely took they didn’t take just completely took they didn’t take just completely took they didn’t take over, but like things were still over, but like things were still over, but like things were still running, but I started getting I woke up running, but I started getting I woke up running, but I started getting I woke up to alerts like why are why are my to alerts like why are why are my to alerts like why are why are my websites not working? What’s going on? websites not working? What’s going on? websites not working? What’s going on? and I started an investigation. I and I started an investigation. I and I started an investigation. I quickly saw that there was something quickly saw that there was something quickly saw that there was something dodgy and that the box was compromised. dodgy and that the box was compromised. dodgy and that the box was compromised. Now, thank God I had nothing critical on Now, thank God I had nothing critical on Now, thank God I had nothing critical on there. It was my projects, there. It was my projects, there. It was my projects, my my projects I had put out into the my my projects I had put out into the my my projects I had put out into the world, but no, I had no users. They had world, but no, I had no users. They had world, but no, I had no users. They had no pay customers. Thank God. Um the no pay customers. Thank God. Um the no pay customers. Thank God. Um the mailing list uh was not affected but mailing list uh was not affected but mailing list uh was not affected but like the front end site was on that box like the front end site was on that box like the front end site was on that box but like the the data the actual mailing but like the the data the actual mailing but like the the data the actual mailing list all it does is like from the back list all it does is like from the back list all it does is like from the back end the nextjs it just calls it and puts end the nextjs it just calls it and puts end the nextjs it just calls it and puts it like does like a post. So it just it like does like a post. So it just it like does like a post. So it just puts the data somewhere else. So like no puts the data somewhere else. So like no puts the data somewhere else. So like no one’s data was affected but like some one’s data was affected but like some one’s data was affected but like some like real users could have been affected like real users could have been affected like real users could have been affected if I had real users on that box. I it if I had real users on that box. I it if I had real users on that box. I it would have really sucked. Um I would would have really sucked. Um I would would have really sucked. Um I would have seriously [  ] up and um exposed have seriously [  ] up and um exposed have seriously [  ] up and um exposed people’s data. So what was affected my people’s data. So what was affected my people’s data. So what was affected my my recent websites? This was on there my recent websites? This was on there my recent websites? This was on there but like what what there’s no user data. but like what what there’s no user data. but like what what there’s no user data. There’s there’s no I have no like login. There’s there’s no I have no like login. There’s there’s no I have no like login. There’s nothing um there’s like nothing There’s nothing um there’s like nothing There’s nothing um there’s like nothing that could be stolen. this um just makes that could be stolen. this um just makes that could be stolen. this um just makes a it’s the same thing it makes um on the a it’s the same thing it makes um on the a it’s the same thing it makes um on the back end just verifies like you’re back end just verifies like you’re back end just verifies like you’re you’re not entering a wrong email. It you’re not entering a wrong email. It you’re not entering a wrong email. It just does a post to to somewhere else. just does a post to to somewhere else. just does a post to to somewhere else. It just posts somewhere else the email. It just posts somewhere else the email. It just posts somewhere else the email. So like that that wasn’t compromised cuz So like that that wasn’t compromised cuz So like that that wasn’t compromised cuz like it’s just sending a blind post like it’s just sending a blind post like it’s just sending a blind post somewhere else. There’s like nothing somewhere else. There’s like nothing somewhere else. There’s like nothing here. Like this is all here. Like this is all here. Like this is all Thank god there’s nothing here. But Thank god there’s nothing here. But Thank god there’s nothing here. But there’s API keys to like there’s API there’s API keys to like there’s API there’s API keys to like there’s API keys like straight up like this thing keys like straight up like this thing keys like straight up like this thing right here uh calls open router that has right here uh calls open router that has right here uh calls open router that has an API key. So they they probably got my an API key. So they they probably got my an API key. So they they probably got my API keys. So like chat open router. So I API keys. So like chat open router. So I API keys. So like chat open router. So I had to go through and I had to go and had to go through and I had to go and had to go through and I had to go and and recreate API keys for everything. It and recreate API keys for everything. It and recreate API keys for everything. It sucked. So this took me like two days sucked. So this took me like two days sucked. So this took me like two days y’all. my whole weekend was was doing y’all. my whole weekend was was doing y’all. my whole weekend was was doing this and this was this was um on the box this and this was this was um on the box this and this was this was um on the box unfortunately unfortunately unfortunately and again there’s like no real data and again there’s like no real data and again there’s like no real data thank god I built these things where you thank god I built these things where you thank god I built these things where you don’t have to log in or sign in so don’t have to log in or sign in so don’t have to log in or sign in so because there’s no no data like um yeah because there’s no no data like um yeah because there’s no no data like um yeah they had the API keys they they could they had the API keys they they could they had the API keys they they could have seen people’s hands you can see the have seen people’s hands you can see the have seen people’s hands you can see the hands on the public website so what like hands on the public website so what like hands on the public website so what like what does it matter thank god um the the what does it matter thank god um the the what does it matter thank god um the the raw pictures get deleted so All you see raw pictures get deleted so All you see raw pictures get deleted so All you see is the uh these like yeah they they they is the uh these like yeah they they they is the uh these like yeah they they they could have they could have gotten the could have they could have gotten the could have they could have gotten the info to go see the these the images of info to go see the these the images of info to go see the these the images of these. I mean it’s on the it’s on the these. I mean it’s on the it’s on the these. I mean it’s on the it’s on the website. So luckily I built things where website. So luckily I built things where website. So luckily I built things where there was not data to steal. So all all there was not data to steal. So all all there was not data to steal. So all all of these projects I’ve been uh working of these projects I’ve been uh working of these projects I’ve been uh working on that’s they were all hosted on this on that’s they were all hosted on this on that’s they were all hosted on this box and projects I put out there that box and projects I put out there that box and projects I put out there that that no one used it just went nowhere. that no one used it just went nowhere. that no one used it just went nowhere. It was a flop. Um, but yeah, one of It was a flop. Um, but yeah, one of It was a flop. Um, but yeah, one of those old projects is the has how I got those old projects is the has how I got those old projects is the has how I got hacked. It’s really embarrassing. I’m hacked. It’s really embarrassing. I’m hacked. It’s really embarrassing. I’m really upset. You know, I tried to do really upset. You know, I tried to do really upset. You know, I tried to do the right thing and patch it, but I need the right thing and patch it, but I need the right thing and patch it, but I need to step it up uh if I’m going to be to step it up uh if I’m going to be to step it up uh if I’m going to be doing this self-hosting thing. So, I doing this self-hosting thing. So, I doing this self-hosting thing. So, I just wanted to be transparent about just wanted to be transparent about just wanted to be transparent about that. It’s uh it’s not not not a good that. It’s uh it’s not not not a good that. It’s uh it’s not not not a good look to to come on here and admit that I look to to come on here and admit that I look to to come on here and admit that I got hacked. But I also think it’s got hacked. But I also think it’s got hacked. But I also think it’s important because important because important because don’t, you know, take the [  ] serious, don’t, you know, take the [  ] serious, don’t, you know, take the [  ] serious, but there’s a really critical bug. You but there’s a really critical bug. You but there’s a really critical bug. You better drop everything and update your better drop everything and update your better drop everything and update your your servers. And there I did, but yeah, your servers. And there I did, but yeah, your servers. And there I did, but yeah, I [  ] up. I one of them I thought was I [  ] up. I one of them I thought was I [  ] up. I one of them I thought was okay. Uh, yeah, I was wrong. There was okay. Uh, yeah, I was wrong. There was okay. Uh, yeah, I was wrong. There was one endpoint that they got me that the one endpoint that they got me that the one endpoint that they got me that the scanner got me. So, my bad. Um, anyways, scanner got me. So, my bad. Um, anyways, scanner got me. So, my bad. Um, anyways, so that has really put me behind. Um, I so that has really put me behind. Um, I so that has really put me behind. Um, I had to had to had to uh stop everything and and work on this uh stop everything and and work on this uh stop everything and and work on this for a few days. So, I’m super behind. I for a few days. So, I’m super behind. I for a few days. So, I’m super behind. I meant to get my project out today. Uh, meant to get my project out today. Uh, meant to get my project out today. Uh, project number seven. Number eight is project number seven. Number eight is project number seven. Number eight is ready to go, but ready to go, but ready to go, but I’ve been really stuck on some last I’ve been really stuck on some last I’ve been really stuck on some last technical bits that are really [  ] technical bits that are really [  ] technical bits that are really [  ] hard. So, that is coming hopefully on hard. So, that is coming hopefully on hard. So, that is coming hopefully on Friday. Um, I’m super super excited. Friday. Um, I’m super super excited. Friday. Um, I’m super super excited. It’s like working. It’s so magical. It’s It’s like working. It’s so magical. It’s It’s like working. It’s so magical. It’s so cool. But this hack like wasted and so cool. But this hack like wasted and so cool. But this hack like wasted and killed my entire weekend and I literally killed my entire weekend and I literally killed my entire weekend and I literally spent all weekend just getting this all spent all weekend just getting this all spent all weekend just getting this all getting that box killed. Manually moving getting that box killed. Manually moving getting that box killed. Manually moving everything over, manually re re getting everything over, manually re re getting everything over, manually re re getting new keys for everything. Really, really new keys for everything. Really, really new keys for everything. Really, really sucked. What a pain in the ass. So, like sucked. What a pain in the ass. So, like sucked. What a pain in the ass. So, like I said, thank God I don’t have users I said, thank God I don’t have users I said, thank God I don’t have users because could you imagine sending an because could you imagine sending an because could you imagine sending an email, sorry guys, your data was stolen. email, sorry guys, your data was stolen. email, sorry guys, your data was stolen. But there was no data to steal. Like But there was no data to steal. Like But there was no data to steal. Like really, like I said, um pictures of really, like I said, um pictures of really, like I said, um pictures of people’s hands. I don’t even know how to people’s hands. I don’t even know how to people’s hands. I don’t even know how to contact those people. Like there was no contact those people. Like there was no contact those people. Like there was no there was no there was no sign them. there was no there was no sign them. there was no there was no sign them. It’s fine. Like your pictures are all on It’s fine. Like your pictures are all on It’s fine. Like your pictures are all on the web anyway. So it’s like well okay. the web anyway. So it’s like well okay. the web anyway. So it’s like well okay. So someone could have like looked at the So someone could have like looked at the So someone could have like looked at the raw image. You can just see on the page. raw image. You can just see on the page. raw image. You can just see on the page. So thank god I didn’t have any real user So thank god I didn’t have any real user So thank god I didn’t have any real user data. Like seriously I’m going to data. Like seriously I’m going to data. Like seriously I’m going to continue working uh today tomorrow continue working uh today tomorrow continue working uh today tomorrow really really really hard push hard to really really really hard push hard to really really really hard push hard to try to get um the next big project out. try to get um the next big project out. try to get um the next big project out. It’s going to be a good one. Really It’s going to be a good one. Really It’s going to be a good one. Really really cool stuff. Um, I finally finally really cool stuff. Um, I finally finally really cool stuff. Um, I finally finally have it working in a way that I’m happy. have it working in a way that I’m happy. have it working in a way that I’m happy. So stay tuned. But that’s all I got for So stay tuned. But that’s all I got for So stay tuned. But that’s all I got for today.