(www.bleepingcomputer.com)

110 points nan60 | 1 comments | 11 Jul 25 21:48 UTC | HN request time: 0.209s | source

Show context

bsuvc ◴[11 Jul 25 22:54 UTC] No.44537604[source]▶

It sounds like there were two separate problems:

The first was that 123456 was the credentials for the admin panel.

The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.

replies(3): >>44537968 #>>44538121 #>>44538299 #

hardwaresofton ◴[11 Jul 25 23:48 UTC] No.44537968[source]▶

>>44537604 #

A third problem that senior engineers might recognize: using numeric IDs on an outward facing object. UUIDs would have made this impossible as well

replies(3): >>44538043 #>>44538169 #>>44538538 #

bsuvc ◴[12 Jul 25 00:00 UTC] No.44538043[source]▶

>>44537968 #

Not impossible, just more difficult to guess.

"Security through obscurity" isn't really good enough.

replies(2): >>44538058 #>>44538529 #

1. hardwaresofton ◴[12 Jul 25 01:31 UTC] No.44538529[source]▶

>>44538043 #

Yes, you are technically right -- I should have said "functionally impossible". It's not actually impossible, but close enough for the average random onlooker.

↑

'123456' password exposed chats for 64M McDonald's job applicants