Hacker News new | past | comments | ask | show | jobs | submit login

Correct. Sadly the issue is that the cloud provider installed an agent that only blocks requests if the authentication header does not contain correct authentication.

If you remove the authentication header, that check never fires, and it considers you authenticated. Then it proceeds to let you run any command.

Now the point is, anyone who can send you messages can strip the authentication header, so anyone who can send you messages can execute arbitrary commands.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact