did I ever mention that project I worked on where I discovered we had a dedicated public API which returned the root password for one of our production servers
Show this thread
-
you could just visit the URL in your browser, no need to log in it was the least secure thing I had ever seen and earlier that release I had discovered that our private key was "cheese"
Show this thread
exports.authCloud = function(req, res) { var json = '{ "cloudEnv": "'+_cfg.CI_Env+'", "user": "'+_cfg.CI_user+'", "pass": "'+_cfg.CI_pass+'" }'; res.send(json); }
-
-
note how the output JSON has better whitespacing than the source code
Show this thread -
The way this API was implemented, you could pass a URL in and one of our backend servers would make a GET request to that URL from inside our firewall
Show this thread -
Normally the URL was generated by the web server, passed to the web UI, and then silently passed back when the user clicked a certain button in the web UI. But a user could have manufactured a request using any other URL there. Any IP address or port, whatever
Show this thread -
Of course, having inspected their traffic to find this out, the user already knew the IP address of at least one of our internal servers
Show this thread -
None of this amounted to anything in the end because the product, as you might expect from having been built by the same fine engineers who made these security decisions, flat-out didn't work, and therefore had no users
Show this thread
End of conversation
New conversation -
-
-
That's so insecure! They aren't using proper JSON serialization!
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.