52

Long story short, I'm unofficially the hacker at our office... Story time!

So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)

So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.

Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.

As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.

So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.

It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.

Comments
  • 9
    You deserve a bonus for that
  • 16
    You ARE a hacker, positively, because

    1) you noticed that shit was dubious where even the original coders hadn't noticed anything.

    2) you investigated what undesired activities were possible, and what the consequences were.
  • 3
    @electrineer Hopefully my boss agrees at our annual review!
  • 2
    @Fast-Nop I guess technically, but I wouldn't call myself a proper hacker. I think of it more like bug fixing, a system was misbehaving, I inspected it, and it was fixed.

    Funny side note, the dude who developed that code is now apparently giving talks and stuff, and some people at the office think of him highly. But the more we poke around, the less impressed we are... Which goes to show, even great developers can fuck it up well
  • 2
    @nanoandrew4

    Soft skills are important for respect. :)
  • 4
    Well done, Hackerman.
Add Comment