(www.bleepingcomputer.com)

111 points nan60 | 1 comments | 11 Jul 25 21:48 UTC | HN request time: 0.227s | source

Show context

bsuvc ◴[11 Jul 25 22:54 UTC] No.44537604[source]▶

It sounds like there were two separate problems:

The first was that 123456 was the credentials for the admin panel.

The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.

replies(3): >>44537968 #>>44538121 #>>44538299 #

1. thaumasiotes ◴[12 Jul 25 00:48 UTC] No.44538299[source]▶

>>44537604 #

> It sounds like there were two separate problems:

> The first was that 123456 was the credentials for the admin panel.

No. 123456 was the credentials for the test setup, which contained nothing. But you could use the IDOR to access data from the test setup.

If 123456 had been the credentials to the admin panel, there would have been no point in exploiting an IDOR - as an admin, you can just look at whatever you want.

↑

'123456' password exposed chats for 64M McDonald's job applicants