Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
domfoo4591yI'm curious about the process here. How can something like this happen if not because of sabotage. Even I know that these are huge malpractices and I've never worked in IT before. Do people just not care or...
realngnx1291yThis shit is so common, I won't name the company I know that all services are unprotected because they think all requests will be coming only from their API Gateway and think that if the users don't know their API ports and endpoints, then a leak ain't gonna happen 🧐🤐
realngnx1291y@Oktokolo it's worse than that, I'm talking about a SaaS provider well known in its market niche and the unprotected services only require you to know the exact HTTP headers to let you in (not that hard to guess), so security by obscurity is a core principle for them. Also users can see each others data if they know the exact ID of any task (date + 5! possible combination of alphanumeric characters) and so on... 🤧😵
I've found something like this throughout one of our main apps before, shortly before leaving for the airport (already booked, not a ragequit). Should really have been a "take down production, this could kill the organisation if it gets out" issue.
Felt like the guy in a movie who blows up a building and walks away looking cool, putting his sunglasses on with flames in the background.
(We did have outsourcers with a clue at that point. The issue was left by previous outsourcers with less of a clue.)
rados50356dWhich API adress they use?
Asking for a friend 😂