Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Root825404yAccidentally leak it to an auditing company.
Mishandling user data is never acceptable. -
@Root I tried to find something like a sitemap or a way to realistically find that path because they won't change a damn thing otherwise... But no luck.
My fear is that if I bring it up to the director they'll just make it a less obvious path.
I really hate that we encrypt password here instead of hash them. It's filthy that we can see them if we want. -
hjk10157314y@AlgoRythm my first reaction was if you can get the password something is wrong. Although password reuse should be abolished. Your company plays a big part in why.
-
korrat6344y@AlgoRythm I don't think you need any special way of discovering the page. Bruteforce guessing exists and will discover it. But if it helps, you can check the robots.txt, if it exists.
-
My plan is for getting a career in cybersec, I'm genuinely afraid that I'm gonna either start to cry or burst out laughing if something like that ever happens.
-
Root825404y@Ranchu to quote @Frodoswaggins:
Fires burn in the distance, and Charlie is everywhere. -
Hazarth94764yEven if its hard to guess, still has issues:
a) listen to the connection request if its a public network
b) any employee let go has permanent access to it if he has the info
c) if that's the FE/BE security, the server security wont be any better, which means DB leak is likely, and with encrypted passes, it will leak *everything* once someone finds the key, no amount of strong password will help any of the users
This is unacceptable by any standard
Something I probably shouldn't talk about:
One of the projects at work has a specific path you can visit. The """security""" is that nobody should know the path. But I can guaran-fucking-tee you it's not difficult to guess.
On this page, ***without a login***, you can view some user information. Well, you can view all of it, but only certain fields.
And if you perform a specific action on this page, you can get their password, plaintext.
This project is not mine. But learning all of this made me super uneasy. I had to share it.
rant
what even is security