{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicpexhkp2ldwguhpea5zc6oud3kmeh6qwv7iqv6nwj66o7yosqkfi",
    "uri": "at://did:plc:npppinc2x6on5fmrcemn2p5o/app.bsky.feed.post/3mgun2dywbd72"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreih3nziy7s4b45jwt3jtztopcvqdf4ea32xlnsfqovac2lwtz5br5m"
    },
    "mimeType": "image/png",
    "size": 447833
  },
  "path": "/post/810884287145656320",
  "publishedAt": "2026-03-12T12:45:18.000Z",
  "site": "https://tumblr.sztupy.hu",
  "tags": [
    "pappito",
    "odmnd",
    "gerywhite",
    "babarumblr",
    "napszemuvegbe",
    "How We Hacked McKinsey’s AI Platform"
  ],
  "textContent": "pappito:\n\n> odmnd:\n>\n>> gerywhite:\n>>\n>>> babarumblr:\n>>>\n>>>> napszemuvegbe:\n>>>>\n>>>>> How We Hacked McKinsey’s AI Platform\n>>>>>\n>>>>>>  _So we decided to point our autonomous offensive agent at it. No credentials. No insider knowledge. And no human-in-the-loop. Just a domain name and a dream._\n> _Within 2 hours, the agent had full read and write access to the entire production database._\n>>>>\n>>>> Noice\n>>>\n>>> Alacsonyszintű JÉG volt az adaterődben\n>>\n>> Kuang vírus ftw.\n>\n> The agent mapped the attack surface and found the API documentation publicly exposed — over 200 endpoints, fully documented. Most required authentication. Twenty-two didn’t.\n>\n> One of those unprotected endpoints wrote user search queries to the database. The values were safely parameterised, but the JSON **keys** — the field names — were concatenated directly into SQL.\n\nwhat coudld go wrong",
  "title": "what coudld go wrong"
}