48 comments

  • sixtyj 34 minutes ago

    > The leak occurred when four Fields Medal laureate lecture fields, marked "HIDDEN," were discovered in the front-end code of the ICM 2026 official schedule.

    So it was easier than I thought. Bot just scraped public page with hidden fields, not a secret page or to-be-published page from database.

  • edoceo an hour ago

    I've been working on a site. It's new, domain is only a few weeks old. It's got SSL, so all the bots know it exists. It's never had any sub-pages exposed, just the placeholder lander, no links.

    Somehow in Google search one of the unguessable pages is indexed. We have used Claude and Gemini to assist with some design aspects.

    I'm thinking some aggressive data ingestion/indexing is happening by all the bots in the quest for frontier models.

    • resonious an hour ago

      I've also seen Google indexing pages with random values in the path that don't get linked to statically (server asks for the URL then redirects to it immediately). I'm pretty sure they index straight out of the Chrome address bar.

      • st_goliath an hour ago

        Yep. I remember a similar story as GP described from a friend back in 2008. The site he was working on that wasn't linked to yet was suddenly indexed after he checked out what it looked like in the fancy new "Chrome" browser that Google had just released, causing some moderate panic on his end.

      • morpheuskafka 11 minutes ago

        This may have been part of this issue I found a few months back, as no other explanation for how UUID URLs got indexed was found: https://news.ycombinator.com/item?id=47769796

      • foobarbecue an hour ago

        Holy crap I hope that's not true. I've also had unguessable pages indexed, though, and don't have an explanation.

        • FabCH 10 minutes ago

          It’s absolutely true. It is a documented fact. It was discovered and entered into public record during the DOJ antitrust investigation into Google Chrome.

          They call the signal „popularity“ and it is a successor of the Google Toolbar signal.

          https://www.justice.gov/opa/pr/department-justice-wins-signi...

        • inigyou 20 minutes ago

          There's no reason to think it isn't true. It matches every pattern of behavior observed from every tech company.

          • EGreg 15 minutes ago

            Why don’t they also read your gmail and get your bank passwords?

            And maybe have access to EVERY site actually, with “forgot password” type stuff in addition to providing oauth tokens…

            • applfanboysbgon 6 minutes ago

              > Why don’t they also read your gmail

              Boy do I have news for you.

        • nicce an hour ago

          Something worth inspecting further. We know that Chrome stores and sends the browsing history but this is an interesting vector.

          • DANmode 40 minutes ago

            I’d be more surprised if they weren’t capturing this information.

            Especially if you have autocomplete-while-searching type of features on.

    • cynerx an hour ago

      Are you using Cloudflare by any chance? I think the Crawler Hints setting [1] exposed some of my "secret" pages in the past.

      [1] https://developers.cloudflare.com/cache/advanced-configurati...

    • malwrar 3 minutes ago

      They log all DNS requests made to their public resolver in a searchable internal database, at least when I worked there a decade or so ago. I wonder if they seed their crawler with it?

    • dreambigwrkhard an hour ago

      Depending on the CMS, if it's wordpress (15% chance, ha) there is a sitemap function built-in out of the box. The bots don't need to guess.

    • pohuing 40 minutes ago

      There's a couple avenues besides just stealing what's in your URL bar.

      If you don't use wildcard certs all of your subdomains can be scraped from the certificate transparency logs. Additionally, any domain+cert using HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.

      • brookst 36 minutes ago

        For hosts, but not pages on the site.

        But I think the other explanations take care of pages: cloudflare hints, chrome reporting addresses visited, etc.

      • fragmede 37 minutes ago

        CT logs just explain how they found the domain. T doesn't explain how they could have found unlinked content on the domain itself. If I put up secret-example.com/asdf-1234567.html, how does that page get found if there are no public links to it?

    • f311a 35 minutes ago

      Google Chrome used to report visited pages back to Google, not sure if this still the case. Also, Google Analytics can see visited pages and Google uses it.

      Finding domains is easy, everybody uses CTL to find them.

    • htek 17 minutes ago

      Nothing you enter into an LLM not hosted by you, or put onto the web is safe from being collected and exploited by these "AI" companies and their LLM's voracious appetite.

    • VladVladikoff 31 minutes ago

      Google uses data from chrome. If you visited it with chrome, google knows it exists.

    • mirekrusin 27 minutes ago

      Isn't leaking browser extension used by one of people on the team (doesn't need to be developer, could be qa or anybody with whom the access was shared) more plausible?

    • phoghed 27 minutes ago

      You ISP also collects and sells data to companies like Moz, and possibly to Google too.

      • soblemprolver 25 minutes ago

        URL paths over https wouldn't be transparent to the ISP though, would they?

        • throw10920 20 minutes ago

          They would not - GP was probably bringing up something not directly relevant, but still related. (they should have clarified though)

    • brador 14 minutes ago

      Chat programs catch links you send.

      Also that browser setting to check urls are safe sends them out “sometimes“.

  • ashu1461 an hour ago

    Someone used Codex to scrape the ICM website schedule and discovered that the winners list was simply hidden in the front-end code with a "hidden" tag

    This is on the devs and feels like a very basic leak which could have exploited in the non LLM world as well.

    • st_goliath an hour ago

      Well, the angle is kind of important here. The company gets their name in the news, they have a reasonable explanation why they were scraping around, and we end up with a story about innovative tech company whiz-kids who made a funny discovery, while it was the webdevs on the other side that goofed up.

      Imagine a private individual just scraped the website (or simply clicked 'view source') for no reason in particular and then told people about it... They'd be labeled an uber-haxxor, face a civil lawsuit asking for ridiculous damages while being threatened with a prison sentence over CFAA violations. Hell, that might even drive some people to suicide.

      • brookst 34 minutes ago

        The fact that an egregious case happened once, decades ago, is probably not sufficient grounding to act like every bit of equally trivial “hacking” always results in massively disproportionate law enforcement response.

        Sucks it happened. But we all know that is not the typical scenario.

    • ajb an hour ago

      Yeah that happens all the time. Anyone/thing with popular public releases has fans/journeys scraping the website looking for unreleased material or scoops.

      In the early days one of the high profile soaps in the UK published their "catch up" summaries for the week ahead which you could get just by editing the date in the URL. But back then not so many people were looking, so they were doing it for months...

    • sigmar 22 minutes ago

      Most of what an LLM does "could have" been done by a human if you throw enough human hours at it. But the reality in this circumstance is that a new tool helped find this leak. Saying this could have happened in a "non LLM world" is analogous to "someone else could have discovered special relativity, let's not mention Einstein"

  • efficax an hour ago

    twist: codex also wrote the code that placed the winners list in a hidden element

  • zaikunzhang an hour ago
  • bananaflag an hour ago

    This is sad, almost as sad as the Deathly Hallows pre-release leak.

  • tw1984 an hour ago

    too bad that those winners can no longer bet themselves on polymarket as the winner and make big money.

  • picafrost an hour ago

    > Hong Wang will become the third female mathematician in history to receive the Fields Medal

    Interestingly, if true, it will also be the first time an MIT PhD graduate has won the Fields Medal.

  • micromacrofoot an hour ago

    ai bots will have more privacy than we do

  • rurban an hour ago

    It's Wang Hong, my god. Cannot they still don't write proper Chinese names?

    • bananaflag an hour ago

      Wikipedia says Hong Wang while acknowledging that the native form is Wang Hong and that they are using the Western name order.

      • grommz an hour ago

        Nobody says Jinping Xi or Zedong Mao.

        • inigyou 17 minutes ago

          Can we not just agree that transliteration is tricky business with no single canon?

          Some Indian restaurants near me sell Aloo Saag, others sell Alu Sag.

        • treetalker 16 minutes ago

          Well, some do say Jinping the Eleventh …

          • bananaflag 8 minutes ago

            And Kim Jong the Second, which was confusing since he was actually the second Kim.

        • bromuro 22 minutes ago

          Is Elton John or Jhon Elton?

    • jryle70 11 minutes ago

      https://en.wikipedia.org/wiki/Hong_Wang

      Such as waste of energy to argue on

    • malfist 30 minutes ago

      > Cannot they still don't write

      Amusing to see someone complaining about not using their definition of "proper language" when they themselves are not using proper language.