(www.bleepingcomputer.com)

117 points nan60 | 2 comments | 11 Jul 25 21:48 UTC | HN request time: 1.106s | source

Show context

bsuvc ◴[11 Jul 25 22:54 UTC] No.44537604[source]▶

It sounds like there were two separate problems:

The first was that 123456 was the credentials for the admin panel.

The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.

replies(3): >>44537968 #>>44538121 #>>44538299 #

1. Natsu ◴[12 Jul 25 00:15 UTC] No.44538121[source]▶

>>44537604 #

123456 was both the username & password, they were hit by CWE-1392 because someone failed to change the default credentials.

replies(1): >>44538307 #

2. thaumasiotes ◴[12 Jul 25 00:48 UTC] No.44538307[source]▶

>>44538121 (TP) #

The writeup never claimed that 123456:123456 were default credentials?

↑

'123456' password exposed chats for 64M McDonald's job applicants