The May 17 IL /admin batch
What we got wrong
We sent 8 contact-request issues to maintainers of Israeli sites (.co.il TLDs) flagging
their /admin page as a “painted-lock” exposure. The page returns content before
redirecting to login. All 8 turned out to be false positives.
Root cause
Our pilot scanner’s /admin check used urllib.request with default
follow-redirects. When a site sat behind a WAF (Radware, Cloudflare anti-bot) or was a
Next.js / React SPA returning the same HTML shell for any URL, the scanner saw
“HTTP 200 + HTML body + no ‘login’ text in first 2KB” and flagged it.
The reality: those sites were behind challenge pages or returning SPA shells, not exposing admin at all.
The retraction (sent on all 8 issues, then each was closed)
On re-verification with stricter heuristics, this report appears to be a false positive from our scanner. The pattern we flagged (/adminreturning content) was triggered by your site’s SPA / framework returning the same HTML shell for unknown paths, not by an actual exposed admin panel.
This is a bug in our scanner. We’re closing this issue and fixing the detection logic so it doesn’t happen again. No action needed on your end.
Sorry for the noise. I appreciate you being patient with an automated outreach tool that’s clearly still learning its job. Voice + accuracy are the product; today this report failed on accuracy.
Thanks,
Raffa
Lictor AI · https://lictor-ai.com
The scanner fix (shipped same hour)
Built scripts/verify-finding.py, a strict re-checker that:
- Does NOT auto-follow redirects (sees the raw response)
- Detects 20+ WAF / bot-challenge fingerprints (Radware
__uzdbm, Cloudflarecf-ray, Akamai, Imperva, PerimeterX, DataDome, etc.) - Requires actual admin-panel markup (dashboard, manage-user, sidebar, etc.), not just any HTML
- For
.envexposures: requiresContent-Type: text/plain+ ≥3KEY=VALlines + no<html
Every flag now passes through this verifier before becoming a contact-request. See the commits →
The 8 issues (all closed, retraction comments filed)
All 8 were closed with a public retraction comment within hours. We don’t name the affected sites here. Publicly listing someone we wrongly flagged would compound the original mistake. Aggregate only, always.
What we learned
- Naive HTTP probes are dangerous. WAFs and SPA fallbacks defeat almost any URL-based heuristic. Every URL-based check now needs verifier-gating.
- Speed without verification is more dangerous than slow + right. Catching it ourselves before more damage spread was the only thing that protected our voice promise.
- Public retraction with apology > silent close. Several maintainers wrote back acknowledging the apology. None expressed anger.