At the end of June, a security researcher found a vulnerability in a web app used by a16z, one of the most powerful and influential Silicon Valley venture capital firms, which exposed some data about the firm’s portfolio companies. The bug has since been fixed.
On June 30, a security researcher who goes by xyzeva wrote on X that she was looking for someone from a16z to reach out, hinting that she had found a security issue.
“Get in touch, now. its bad. security related,” she wrote.
When reached by TechCrunch, xyzeva said that she found “a really simple bug” that “basically gave access to everything” on a16z portfolio portal. More specifically, she said that she found exposed API keys on the site portfolio.a16z.com. xyzeva said that the information she was able to see included: emails, passwords, and “company details and employees.” Also, she added, she could have sent emails as a16z and access previously sent emails from the company’s account with Mailgun, an email delivery service.
In a statement to TechCrunch, Bryan Green, the chief information security officer at a16z, confirmed that the company fixed the bug on the same day xyzeva wrote the post and got in touch with the company, but said that the issue didn’t affect any sensitive data.
“On June 30th, a16z addressed a misconfiguration in a web app that is used for the specific use case of updating publicly available information on our website such as company logos and social media profiles. The issue was resolved quickly and no sensitive data was compromised,” said Green. “We remain committed to collaborating with the security community on ethical disclosures and will continue to do so through responsible means.”
In a text conversation seen by TechCrunch, where xyzeva inquired about a bug bounty program — a way for security researchers to get rewarded for their findings — a company employee told her that the firm doesn’t provide one. “However, after we complete the analysis I’m very happy to try to set something up specifically for you in this case,” the employee said.
Days later, however, the employee told xyzeva that “unfortunately, there are a couple of things getting in the way,” according to another text exchange seen by TechCrunch.
“First, there’s the disclosure method. Posting that there was a serious issue publicly meant that potential attackers likely scanning our sites to search for the issue, which increased risk for us unnecessarily and is outside the norm of how vulnerability disclosures are performed,” said the employee. “Second, the follow-up post that incorrectly described ‘full access to basically everything’ and promised a write-up didn’t signal the best intentions to the team. If any of this is being misunderstood, please let me know.”
It’s not uncommon for security researchers to disclose their findings when the vulnerability or issue is fixed and no longer at risk.
As of this writing, the portal where xyzeva found the issue is not available. “This application is being deprecated,” read a message on the site.
Over the years, a16z has invested in several well-known companies like Airbnb, Coinbase, Instacart, Lyft, and Slack, among many others. The firm’s founders Marc Andreesen and Ben Horowitz have recently said that they are supporting Donald Trump in the upcoming presidential elections.
Comment