Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Long story short, I'm unofficially the hacker at our office... Story time!
So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)
So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.
Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.
As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.
So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.
It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.6 -
If you don't know, there are 2 types of bug fixes:
Hot Fix - Patch files directly on the production
Quick Fix - Deploy fix on production and then test it4 -
What’s your take on engineering managers just focusing on delivering the product. Making sure the management happy.
TL;DR.
To begin, i want to clear it out that my EM is a really sweet person and tries to accommodate all of us and takes pressure off us whenever possible.
But he’s a really shitty manager. He’s the kinda guy whom you can give a weekend project and he’ll an excellent job. On the other hand, if the taks requires more than a weekend, he’ll probably fuck it up.
He thinks everything can be done in a jiffy and we don’t need to think about the edge cases.
His reasoning for not giving quality importance is that he wants us to focus on building the product and making it shippable. We can iron out issues once we get it done.
He’s decided not to let the tests run in the cicd pipeline because that might hinder making hot fixes.
I’ve tried talking to him but he believes that’s the only way management is willing to agree to.2
Top Tags
Weekly Rant
View