Just found a 1-click RCE in pewdiepie's Odysseus Chat
Posted by theonejvo@reddit | LocalLLaMA | View on Reddit | 52 comments
PR being submitted to help the project as we speak. Sound on for extra lols.
Kahvana@reddit
Does the repo have the security tab set up on the repo?
If so, submit it there first in private.
ClassicMain@reddit
It does.
OP hasn't heard of responsible disclosure before it seems
ReachingForVega@reddit
Not everyone is a security researcher.
simplex0991@reddit
That is the nice thing to do, but responsible disclosure is not a requirement when testing for vulnerabilities.
ClassicMain@reddit
Sure. No requirement. No law saying you have to do it.
But not doing it, and in fact publicly announcing it everywhere is the opposite of ... the right thing to do
Epitaque@reddit
Ugh. This subreddit is becoming more and more slop by the day. Nobody cares about this exploit or your AI-written engagement farming twitter article. I highly doubt anybody runs Odysseus on the public internet.
theonejvo@reddit (OP)
Standard weeb take.
Minute_Attempt3063@reddit
so no private disclosure to them?
just full on public showing how it is done?
could be very bad
theonejvo@reddit (OP)
Already patched.
cakes_and_candles@reddit
why does pewdiepie's vibe coded slop gets 10k stars on github and i get called slurs for my vibe coded slop?
real_serviceloom@reddit
Because a random influencer is doing something that is considered nerdy and hard. we tend to forget that how hard all of this is for those not in tech.
More-Curious816@reddit
but pewdipie is not a normie, he is in fact, a nerd with very good technical knowledge.
gavff64@reddit
Right? I do appreciate the rare occasions when big influencers go outside their realm to genuinely learn something and spread it around. Call it cheesy but it’s inspirational for people. Breath of fresh air.
JEs4@reddit
Are you actually asking why famous people get special treatment?
DreadStallion@reddit
Back in my day programmers didn’t care about famous people, Programmers only cared about good code and good programmers. Miss those days
Infamous_Mud482@reddit
Unless you're an academic or a fed there's a roughly zero percent chance you were programming at a time when that was actually the case, sorry.
Due-Function-4877@reddit
Yeah
Nnyan@reddit
This. Why is this surprising? Followers will astroturf it to the moon.
BitPsychological2767@reddit
Why should we ever stop asking that?
MrHaxx1@reddit
Aside from what the others side, it actually has some really neat features. It's definitely not for everyone, and clearly the security is lacking, but I understand the hype.
OXKSA1@reddit
most likely because he is famous which means he can actually attract people with knowledge
MerePotato@reddit
Because yours probably isn't nearly as good given you don't have unlimited time and money
Borkato@reddit
It’s this tbh. Thank you for seeing reason
craftogrammer@reddit
somewhere I just commented about my project in a nested comment thread, and I got downvoted for my project lol.. I didn't even promoted or shared any links or claimed anything.. and here you know.. haha
FortheredditLOLz@reddit
Be famous. Have fanbois worship you.
usuallyalurker11@reddit
because you don't live in Japan
Aggressive_Aspect436@reddit
Good work spotting it. Hope your PR does some good for the project. Contributing security fixed for open source projects is one of the nobler ways coders can spend their time.
But... don't take this the wrong way, you probably should have either waited for the PR to be merged at or reached out in private first. If anyone is actually using this, you've effectively declared a 0-day vulnerability on reddit. That's part isn't terribly cool of you.
vamps594@reddit
I tend to disagree on this one. As long as you don’t provide the exploit code directly, if one person found the vulnerability, others can too. Users should be aware of potential security flaws so they can plan accordingly and mitigate the issue
Due-Function-4877@reddit
This sub is not filled with software engineers. There's a difference and their "vibe" is showing.
Least-Tap-8175@reddit
This is actually a very interesting moral question. Does this vibe coded app with security holes earn our standard due diligence? On the one hand, you could argue you should apply as much diligence as was used to create it. On the other, there are real, non-technical users who could be harmed.
I think I tend to fall more on the FAFO side of this. If you're going to put something out in the world with zero foresight or consideration, you forfeit all expectations of "normal order" on the consumption side.
BitPsychological2767@reddit
"you could argue you should apply as much diligence as was used to create it"
Can you explain your logic here? If you're going to contribute at all, why make things worse for everyone? Why not just leave it alone at that point?
Least-Tap-8175@reddit
I really think the internet has broken us, just like, as a society.
How did you wake up this morning and decided -- "man, I'm going to go defend Pewdiepie's vibe coded slop, because that is what we need".
It has a shit security profile because it's built without a full understanding of what a good security profile requires. This isn't an AI gap, it's a human gap. For whatever reason, with the advent of social media, we all have this opinion that what we create, say, and do deserves to be seen and loved by everyone.
If you build shit, people should be able to call it shit, and that is that.
simplex0991@reddit
I think that's a fair point. If someone is going to use AI as a tool, then they also need to accept the responsibility of what they output using that tool.
Nobody should get to claim credit when it works, but get to blame the tool when it doesn't.
The AI did exactly as it was instructed to here. It was the human that didn't know how to setup security.
PMYourTitsIfNotRacst@reddit
Dude, he just asked a question to try and understand you better, damn.
BitPsychological2767@reddit
I asked you to elaborate on something you said, that is not defending pewdiepie. You are an idiot.
hainesk@reddit
FAFO is not a moral.
mr_zerolith@reddit
FAFO is a learning technique
PeachScary413@reddit
I mean if you actually use this for anything serious then you sort of had it coming already lmao 🤌
theonejvo@reddit (OP)
Already fixed. Keep up gramps.
Aggressive_Aspect436@reddit
It's not fixed until the PR is merged.
https://github.com/pewdiepie-archdaemon/odysseus/pull/366
theonejvo@reddit (OP)
meh here's a sticker
Aggressive_Aspect436@reddit
Good stuff.
theonejvo@reddit (OP)
Full technical write-up here: https://x.com/theonejvo/status/2061508425008476197?s=20
pokemonplayer2001@reddit
Whoa vibe coded shit from a “celebrity” is shit!?!?
Nnyan@reddit
You are not being really fair. It’s Celebrity Shit.
pokemonplayer2001@reddit
Touché :)
UniqueAttourney@reddit
it's over, he cancelled [soy boy sounds]
Educational-Fruit854@reddit
vibecoded 😡
vibecoded, japan 🥰
Billthegifter@reddit
My ears are bleeding. Thank you OP
theonejvo@reddit (OP)
haha sorry about the volume ❤️
ScrapEngineer_@reddit
pewdieSHIT
No_Afternoon_4260@reddit
Vibe coded projects beeing vibecoded lol Put it in a openshell and call it a day