Found that out that one of our company's internal API (I hope it's only internal) is exposing some personal data. After finally getting the right people involved they said they'd fix it 'immediately'.

5 days later I check and now there is more personal data exposed...which includes personal security questions and the hashed answers to said questions.

And of course they are using a secure hashing mechanism...right? Wrong. md5, no salt

Sigh...

This shit is so common, I won't name the company I know that all services are unprotected because they think all requests will be coming only from their API Gateway and think that if the users don't know their API ports and endpoints, then a leak ain't gonna happen 🧐🤐

@realngnx
Typical "the network is secure" thinking.
It will change fast after the first ransomware attack owning the complete company just because someone in sales opened a fake invoice...

@Oktokolo it's worse than that, I'm talking about a SaaS provider well known in its market niche and the unprotected services only require you to know the exact HTTP headers to let you in (not that hard to guess), so security by obscurity is a core principle for them. Also users can see each others data if they know the exact ID of any task (date + 5! possible combination of alphanumeric characters) and so on... 🤧😵

I've found something like this throughout one of our main apps before, shortly before leaving for the airport (already booked, not a ragequit). Should really have been a "take down production, this could kill the organisation if it gets out" issue.

Felt like the guy in a movie who blows up a building and walks away looking cool, putting his sunglasses on with flames in the background.

(We did have outsourcers with a clue at that point. The issue was left by previous outsourcers with less of a clue.)

Which API adress they use?

…….

Asking for a friend 😂