Someone used my open source project to phish people
An open-source developer recounts how their project's cloud version was "legitimately" abused by phishers to send 14,000 emails, costing them reputation and prompting a security overhaul. The incident highlights the stark difference in threat models between self-hosted and multi-tenant SaaS, forcing a re-evaluation of trust in open platforms. HN commenters grapple with this new reality, debating automation's role and even questioning if the post itself was AI-generated.
The Lowdown
Andrej Acevski, developer of the open-source project management tool Kaneo, shares a sobering account of how his cloud-hosted version was exploited, not through a vulnerability, but through its intended functionality, to facilitate a massive phishing campaign. The incident forced him to confront the profound differences in threat models between open-source projects and their cloud counterparts.
- Andrej received an alert that his email sending quota for Kaneo's cloud instance was exhausted, despite no recent activity on his part.
- Investigation revealed nearly 1,000 new workspaces, all created within three hours, using throwaway emails.
- Each workspace was named after a phishing email subject line and used to send about 100 invitations via Kaneo's system, totaling 14,520 phishing emails from Andrej's verified domain.
- The attacker simply used Kaneo's signup and invite features as designed, showcasing a "mundane" yet effective abuse of the system, without any exploit or vulnerability.
- Andrej realized his cloud version was not just "the same software, hosted for you" but implicitly included his "Resend reputation, my IP reputation, my domain’s relationship with every mail provider."
- He swiftly cleaned up the malicious accounts and implemented hardening measures: captcha, disposable email blocking, rate limits, and a workspace name filter, restricting invite capabilities for guest accounts.
- These changes were specifically for the cloud instance, acknowledging its distinct threat model compared to self-hosted versions.
This experience was a stark lesson for Andrej, shifting his perspective on operating a cloud service for an open-source project from a casual sandbox to a full-fledged piece of infrastructure with significant responsibilities, particularly concerning the trust and reputation vested in his domain.
The Gossip
Arbitrage of Assurance
Commenters emphasize that any free service or platform offering a "trust signal" (like an email sending domain with good reputation) will inevitably be exploited by bad actors. This arbitrage of value is seen as an almost unavoidable aspect of providing services online, where malicious users will consistently seek to maximize their gain from open platforms.
LLM Lingo & Literary Labels
A surprisingly dominant discussion revolved around whether the article itself was generated by an LLM. Some users found the writing style, sentence structure, and specific vocabulary to be characteristic of AI, leading to a heated debate on identifying AI-generated content and its impact on readership. Others defended the article's human authorship or argued against the validity of AI detection tools, citing false positives.
Modern Malfeasance & Mitigating Measures
Many comments acknowledged that this type of abuse is common across the industry, not unique to small open-source projects, and is often carried out by automated means. The discussion touched on the importance of implementing preventative measures early and the differing security considerations for self-hosted versus multi-tenant SaaS environments. There was also a note about the potential future impact of LLMs lowering the barrier for such attacks.