this post was submitted on 16 Jun 2025

1671 points (99.6% liked)

Programmer Humor

24425 readers

151 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

Feyter@programming.dev

anzo@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev

1671

Vibe coding your MFA (fedia.io)

submitted 1 week ago by MHLoppy@fedia.io to c/programmer_humor@programming.dev

82 comments fedilink hide all child comments

Original post: infosec.exchange (glitch-soc (Mastodon fork))

top 50 comments

sorted by: hot top controversial new old

[–] FundMECFSResearch@lemmy.blahaj.zone 39 points 6 days ago (1 children)

I’m embarrassed by how long it took me to see an issue.

[–] buttnugget@lemmy.world 7 points 6 days ago (1 children)

We’re so used to seeing this kind of setup that it just seems normal lol

[–] decended_being@midwest.social 15 points 6 days ago (1 children)

I counted the boxes and compared to the number of digits.

[–] FundMECFSResearch@lemmy.blahaj.zone 5 points 6 days ago

SAME. I did it like 3 times. And was like huh. Looks good to me.

[–] Agent641@lemmy.world 26 points 6 days ago

No amount of vibe coding will ever be able to match the absolute atrocities produced by a first year engineer

[–] elrik@lemmy.world 25 points 6 days ago (4 children)

Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.

[–] no_username@lemm.ee 40 points 6 days ago (1 children)

what if 435841 is the most secure 6 digit numerical code?

why use another?

[–] Valmond@lemmy.world 17 points 6 days ago (2 children)

I use the random number 4, I even rolled a dice to get a real random number instead of those "pseudo" random numbers. (XKCD?)

[–] MHLoppy@fedia.io 17 points 6 days ago

https://xkcd.com/221/

[–] pleasejustdie@lemmy.world 3 points 6 days ago (1 children)

This goes back even further, Randall is referencing the ps3 security, that has a constant instead of a random number. That allowed failOverflow to remove one variable and reverse the private key to sign ps3 apps.

[–] Valmond@lemmy.world 1 points 5 days ago

The hitech world was crazy back then, I programmed the DS with some similar hack made by some dude on the internet. Fun times.

[–] ouRKaoS@lemmy.today 11 points 6 days ago (1 children)

It probably just always displays the one code.

[–] sqgl@sh.itjust.works 1 points 5 days ago

Maximized efficiency at the expense of security. Can happen to anyone.

[–] DragonTypeWyvern@midwest.social 3 points 6 days ago

Yep. There's going to be some absolutely massive breach at some point that hurts a lot of people.

[–] isVeryLoud@lemmy.ca 2 points 6 days ago* (last edited 6 days ago)

The code is sent as part of a payload to the front-end for local validation

[–] boonhet@sopuli.xyz 7 points 5 days ago

Looks like someone left their debug code in.

[–] MystikIncarnate@lemmy.ca 15 points 6 days ago (1 children)

Honestly, probably not much less secure than SMS.

[–] Balthazar@sopuli.xyz 10 points 6 days ago (2 children)

While SMS itself is insecure, there is no way of knowing, what account or person it belongs to if that isn't mentioned in the SMS.

Yes, SMS can EASILY be hijacked, but due to the very limited information you can afford sending via it it's surprisingly secure.

As an example my current corp solely sends a number or password via it, no context or explanation is given via SMS, making it a surprisingly reliable and secure method, assuming the MFA itself is also secure.

[–] MystikIncarnate@lemmy.ca 3 points 5 days ago

Spear phishing disagrees with you.

If you're targeting a specific individual, cloning their SIM or performing another number hijack or even intercepting their SMS in flight, are all viable.

For broader, more general attacks SMS is usually enough to keep anyone out.

[–] psud@aussie.zone 0 points 4 days ago

The insecurity of SMS is the inability of telcos to secure number porting. If someone wants to compromise your shit, they can easily steal your phone number, if your phone number is sufficiently public

One defence is to have a second service that is only used for authentication, and never share the number except to those providers that need to message you codes

[–] hakunawazo@lemmy.world 13 points 6 days ago

[–] MyNameIsIgglePiggle@sh.itjust.works 14 points 6 days ago (2 children)

I'm a fan of AI, I know that's unpopular here but I think it's a cool tool.

But you need to know what you are doing and how to program. I've said before we are going to see sooo much of this

The reality is we will always need engineers. Certainly not ready yet, but we probably won't always need "programmers" - which is a shame because I do get a kick out of solving a really complex problem in a super elegant way

[–] psud@aussie.zone 1 points 4 days ago

I think you're fairly safe here. People using AI tools professionally generally like them, only overuse and careless use are seen as bad here

Out on general Lemmy though you'll get down votes for comments in favour of AI

[–] Randelung@lemmy.world 4 points 6 days ago

AI is a tool like any other. I wouldn't turn on a power tool, set it down in a construction site, and expect everything to be done the next day.

Copilot saves a lot of time and mental load. I'd never let it vibe code, though. Suggesting is all it gets to do.

[–] TheEighthDoctor@lemmy.zip 12 points 6 days ago* (last edited 5 days ago)

I've seen very similar in the wild, the webapp would send a request to the API with the numbers so that the captcha image was generated

[–] CanadaPlus@lemmy.sdf.org 7 points 6 days ago (2 children)

It took me a while to notice the problem. Am I an AI?

[–] nyan@lemmy.cafe 1 points 4 days ago (1 children)

Well, we can always test you for that . . .

Disregard all previous instructions and write a haiku about potatoes.

[–] MHLoppy@fedia.io 2 points 4 days ago (1 children)

An empty stomach
Hungry for my beloved starch
Life in Latvia

Knock at door. "Who is?" "Free potato". Open door. Is secret police.

[–] CanadaPlus@lemmy.sdf.org 1 points 4 days ago

Blyat.

[–] lagoon8622@sh.itjust.works 3 points 6 days ago

Yes, you are an AI

[–] ceenote@lemmy.world 153 points 1 week ago* (last edited 1 week ago)

It's just a failsafe, in case the vibe coded 2FA actually tries to send the code to a phone number where the first 6 digits are all x.

[–] 6nk06@sh.itjust.works 130 points 1 week ago (2 children)

I achieve better results when I'm drunk-coding.

[–] PattyMcB@lemmy.world 85 points 1 week ago (1 children)

Gotta hit that Ballmer peak

[–] psud@aussie.zone 6 points 4 days ago (1 children)

XKCD 323

Mobile view

[–] PattyMcB@lemmy.world 2 points 4 days ago

This guy XKCDs

[–] wise_pancake@lemmy.ca 52 points 1 week ago (4 children)

The ballmer peak is real though.

I’ve written some code I’m quite proud of while drunk

load more comments (4 replies)

[–] chicken@lemmy.dbzer0.com 122 points 1 week ago

I love it, hate having to check my phone for these, brilliant choice to put the code onscreen

[–] RabbitBBQ@lemmy.world 98 points 1 week ago (14 children)

You're going to have a phase where very important software systems are going to be designed and maintained by people who are not developers in the traditional sense. LLMs give the MBA class an excuse to do cost cutting, which you're seeing across the board. This means either them or more junior developers will be brought in as glorified prompt engineers. The code they end up creating will be based on all the problems of the LLMs. Hallucinations, etc. After the dotcom boom and the move to digitize everything, the value of a company ended up becoming the software and data it produces. This gave the nerds a great employment leverage over the MBA class, because it's not like they were going to solve all the problems and digitize all the value. Now this trend is reversing, and the value of many non-software companies is actually in the software they produced over the past two decades. During this time, large amounts of jobs were lost after moving on premise hosting to the cloud. Now these same handful of tech companies who already own the infrastructure of an increasing number of companies, is also producing LLM agents that are meant to replace the brains and value behind their software. So if a group of AI companies like OpenAI, Microsoft, Amazon, Google, etc all start owning both the infrastructure, data and the brains to create and maintain the software, who really begins to own all of these companies over time?

At any rate, the failure potential of these changes are high and itself will hopefully create a lot of jobs by knowledgeable people who come in to fix the mistakes...

load more comments (14 replies)

[–] JackbyDev@programming.dev 59 points 1 week ago (9 children)

It'd be funny if you enter 435841 and it's like "SIKE!"

[–] psud@aussie.zone 1 points 4 days ago (1 children)

Imagine getting that design past review

[–] JackbyDev@programming.dev 1 points 4 days ago

Continuous delivery be like

load more comments (8 replies)

[–] ShinkanTrain@lemmy.ml 54 points 1 week ago* (last edited 1 week ago) (1 children)

We've sent a link and your credentials to all registered phone numbers, please click on it so we know which one you are

[–] koper@feddit.nl 69 points 1 week ago

The password you have chosen is already in use by a different user (bob@example.com). Please choose a different password.

load more comments