My websites contact form got a submission from some "manjeet" offering me his freelancing services, together with previous projects, where he apparently delivered and... has a login backdoor that he advertises to others to check out?.. with credentials etc.

Also got flagged with "It contains a suspicious link that was used to steal people's personal information. Avoid clicking links or replying with personal information."

What the fu..... hell !!

"If you want to install a backdoor into your site/app, hire me!"

You would hope that those are at least demo accounts with limited rights, though that would still somewhere between bad and terrible, they would belong in a completely separated demo instance. But somehow I got a feeling this is not even the case here..

@saucyatom he clearly just made those accounts before handing it over, just that those clients don't know those accounts exist I assume and I hope those don't have any access to actual courses to mess with. (e. g. it can be a "teacher" account but only assigned to a fake course)

@JoshBent Just having those accounts may actually be alright for maintenance (e.g. reproduction of reported bugs) if the customer knows about it. But sharing those to anyone is not just a problem, it could be considered a crime. And now, if you were to use those to mess with the system, he should be liable for any losses, as well as be prosecuted for granting someone unauthorized access to the system. In Germany you could go to jail for that.