(www.bleepingcomputer.com)

114 points nan60 | 1 comments | 11 Jul 25 21:48 UTC | HN request time: 0.407s | source

Show context

bsuvc ◴[11 Jul 25 22:54 UTC] No.44537604[source]▶

It sounds like there were two separate problems:

The first was that 123456 was the credentials for the admin panel.

The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.

replies(3): >>44537968 #>>44538121 #>>44538299 #

hardwaresofton ◴[11 Jul 25 23:48 UTC] No.44537968[source]▶

>>44537604 #

A third problem that senior engineers might recognize: using numeric IDs on an outward facing object. UUIDs would have made this impossible as well

replies(3): >>44538043 #>>44538169 #>>44538538 #

bsuvc ◴[12 Jul 25 00:00 UTC] No.44538043[source]▶

>>44537968 #

Not impossible, just more difficult to guess.

"Security through obscurity" isn't really good enough.

replies(2): >>44538058 #>>44538529 #

tyre ◴[12 Jul 25 00:03 UTC] No.44538058[source]▶

>>44538043 #

Yes and…

UUIDs aren’t “just more difficult to guess.” They are inconceivably harder to guess.

> Put another way, one would need to generate 1 billion v4 UUIDs per second for 85 years to have a 50% chance of a single collision.

replies(2): >>44538303 #>>44538313 #

1. 0cf8612b2e1e ◴[12 Jul 25 00:48 UTC] No.44538303[source]▶

>>44538058 #

The security is that your server will crash from overload long before someone can guess the ids.

↑

'123456' password exposed chats for 64M McDonald's job applicants