Hyperdev

Hyperdev is an online IDE with great powers. Take a look https://hyperdev.com

Unfortunately, it has... security issues. Most IDE's like it do. They seem to think that running your projects in a separate container solves all security problems.

Wrong.

API keys

A lot of projects in Hyperdev use API keys. Normally not a problem, because companies like Google issue these per-site, and is thus normally hard to abuse. That's why you see API keys in HTML page sources in your browser.

Of course, as a result, you shouldn't use them for security purposes. Most people don't, fortunately.

The MASSIVE PROBLEM on Hyperdev is that everything is the same site. So pick a project, Remix as your own and start playing around with other people's API keys.

The other problem is that very inexperienced programmers are attracted by sites like Hyperdev. It's going to be a great place to harvest keys, including private keys (I haven't bothered to look for such keys on Hyperdev, but have found them on similar sites. Someone probably screwed up on Hyperdev as well, so please do notify the company or project owner ASAP if you do encounter such information)

Scary. So...

NEVER EVER PUT API KEYS ON HYPERDEV, NOT EVEN PUBLIC ONES

NEVER EVER USE API KEYS AS A SECURITY FEATURE

ROUTE API ACCESS THROUGH YOUR SERVER, AND DON'T USE SITES WITH SHITTY SECURITY TO HOST YOUR SERVER

That's just the start

The most severe security problems I've seen in these online IDE's will not be disclosed here... I've notified the relevant people. Let's just hope they fix them before someone exploits them (probably too late though!)