Something I probably shouldn't talk about:

One of the projects at work has a specific path you can visit. The """security""" is that nobody should know the path. But I can guaran-fucking-tee you it's not difficult to guess.

On this page, ***without a login***, you can view some user information. Well, you can view all of it, but only certain fields.

And if you perform a specific action on this page, you can get their password, plaintext.

This project is not mine. But learning all of this made me super uneasy. I had to share it.

  • 19
    When will they learn "security through obfuscation" never work?
  • 22
    Accidentally leak it to an auditing company.
    Mishandling user data is never acceptable.
  • 13
    @Root I tried to find something like a sitemap or a way to realistically find that path because they won't change a damn thing otherwise... But no luck.

    My fear is that if I bring it up to the director they'll just make it a less obvious path.

    I really hate that we encrypt password here instead of hash them. It's filthy that we can see them if we want.
  • 4
    @AlgoRythm that's disgusting :-(
  • 5
    @AlgoRythm my first reaction was if you can get the password something is wrong. Although password reuse should be abolished. Your company plays a big part in why.
  • 1
    Which site is that?
  • 3

    He isn't supposed to talk about it.
  • 2
    @AlgoRythm I don't think you need any special way of discovering the page. Bruteforce guessing exists and will discover it. But if it helps, you can check the robots.txt, if it exists.
  • 3
    My plan is for getting a career in cybersec, I'm genuinely afraid that I'm gonna either start to cry or burst out laughing if something like that ever happens.
  • 0
    lnk plz ;)
  • 2
    @Ranchu to quote @Frodoswaggins:
    Fires burn in the distance, and Charlie is everywhere.
  • 4
    I had something similar when I worked for a bank. Thankfully the application was internal but my bosses way of preventing users from seeing information that they shouldn’t was to hide the menu button.
    He was better at office politics than me though, which is why he earned twice what I did!
  • 0
    @AlgoRythm did you give DirBuster a shot with the most common word lists?
  • 1
    @IwiS I'm not gonna be running any scripts or anything against my work
  • 2
    Even if its hard to guess, still has issues:
    a) listen to the connection request if its a public network

    b) any employee let go has permanent access to it if he has the info

    c) if that's the FE/BE security, the server security wont be any better, which means DB leak is likely, and with encrypted passes, it will leak *everything* once someone finds the key, no amount of strong password will help any of the users

    This is unacceptable by any standard
Add Comment