Interesting comment from @Topfi last time this was posted (6 points, 2 days ago) https://news.ycombinator.com/item?id=42404132

Skipping over most of this (the vulnerability is not really investigated at all in the stream). But the gist of it is that "access devin's machine" links are tough-to-guess but unauthenticated URLs, so anyone who has that URL has all the same access Devin does to your account.

I don't want to watch a 55 minute stream to see what the actual vulun is. Can someone summarize?

I don't know what Devin is but it sounds like this is just a case of using a high entropy uuid as a workspace address, it's not that different than password auth if, say, your password was in the query string. Not great, but basically it's "anyone with a link" method of sharing access.

Did Google Photos ever change their auth scheme? I know I was surprised once when I found out the direct URL of my jpegs was "public"

Here's an archived link to the Twitter thread you can read without an account https://xcancel.com/TheMidasProj/status/1867318553046921376

I tried to watch this, but a young man’s silly antics are not educational for me. Maybe people who stream have to ham it up to get likes, but I’d rather see serious people at work.

It;s a funny stream, Devin spends one and half hours trying to push to master.