Researcher finds flaw in a16z website that exposed some company data

Date:

Share post:


At the end of June, a security researcher found a vulnerability in a web app used by a16z, one of the most powerful and influential Silicon Valley venture capital firms, which exposed some data about the firm’s portfolio companies. The bug has since been fixed. 

On June 30, a security researcher who goes by xyzeva wrote on X that she was looking for someone from a16z to reach out, hinting that she had found a security issue.

“Get in touch, now. its bad. security related,” she wrote.

When reached by TechCrunch, xyzeva said that she found “a really simple bug” that “basically gave access to everything” on a16z portfolio portal. More specifically, she said that she found exposed API keys on the site portfolio.a16z.com. xyzeva said that the information she was able to see included: emails, passwords, and “company details and employees.” Also, she added, she could have sent emails as a16z and access previously sent emails from the company’s account with Mailgun, an email delivery service. 

In a statement to TechCrunch, Bryan Green, the chief information security officer at a16z, confirmed that the company fixed the bug on the same day xyzeva wrote the post and got in touch with the company, but said that the issue didn’t affect any sensitive data. 

“On June 30th, a16z addressed a misconfiguration in a web app that is used for the specific use case of updating publicly available information on our website such as company logos and social media profiles. The issue was resolved quickly and no sensitive data was compromised,” said Green. “We remain committed to collaborating with the security community on ethical disclosures and will continue to do so through responsible means.”

In a text conversation seen by TechCrunch, where xyzeva inquired about a bug bounty program — a way for security researchers to get rewarded for their findings — a company employee told her that the firm doesn’t provide one. “However, after we complete the analysis I’m very happy to try to set something up specifically for you in this case,” the employee said. 

Days later, however, the employee told xyzeva that “unfortunately, there are a couple of things getting in the way,” according to another text exchange seen by TechCrunch. 

“First, there’s the disclosure method. Posting that there was a serious issue publicly meant that potential attackers likely scanning our sites to search for the issue, which increased risk for us unnecessarily and is outside the norm of how vulnerability disclosures are performed,” said the employee. “Second, the follow-up post that incorrectly described ‘full access to basically everything’ and promised a write-up didn’t signal the best intentions to the team. If any of this is being misunderstood, please let me know.”

It’s not uncommon for security researchers to disclose their findings when the vulnerability or issue is fixed and no longer at risk.

As of this writing, the portal where xyzeva found the issue is not available. “This application is being deprecated,” read a message on the site. 

Over the years, a16z has invested in several well-known companies like Airbnb, Coinbase, Instacart, Lyft, and Slack, among many others. The firm’s founders Marc Andreesen and Ben Horowitz have recently said that they are supporting Donald Trump in the upcoming presidential elections. 



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Boon raises $20.5M to build agentic AI tools for fleets

Logistics is the name of the game during the holiday season: Companies that can seal the deal...

Ex-Twitch CEO Emmett Shear is founding an AI startup backed by a16z

Emmett Shear, the former CEO of Twitch, is launching a new AI startup, TechCrunch has learned. The...

In just 4 months AI coding assistant Cursor raised another $100M at a $2.5B valuation led by Thrive, sources say

Anysphere, the developer of AI-powered coding assistant Cursor, raised $100 million Series B at a post-money valuation...

Backed by a16z and NEA, Backflip raises $30M Series A to turn text into AI-generated designs

What if it were as easy to generate a usable 3D design as prompting ChatGPT? That’s the...

Waymo fills the Cruise void overseas and a salute to an icon

Welcome back to TechCrunch Mobility — your central hub for news and insights on the future of...

World(coin) must let Europeans comprehensively delete their data, under privacy order

It took a lot more than the initially slated few weeks to arrive, but a pivotal privacy...

Tesla is courting Texas cities to test its promised robotaxi service

Tesla is evaluating multiple Texas cities where it wants to test a long-promised robotaxi service, including Austin,...

K2 Space will fly its extra-large satellite for the first time in 2026

K2 Space is betting that the future of the space hardware will be big — really big.  The...