Ever hear one of those stories where as it unravels, you lean in ever closer and mutter “No way! No way! NO WAY!” This one, as far as infosec stories go, had me leaning and muttering like never before. Here goes: Last week, someone reached out to me with what

  • Chozo@kbin.social
    link
    fedilink
    arrow-up
    8
    ·
    9 months ago

    This is a really awesome article that explains the technical aspects in a way that makes sense to non-coders, without having to over simplify. I feel like this sort of writing should be much more appreciated. Also, the graphic at the top has no business being that good, this whole piece is a banger.

    • elvith@feddit.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      They basically did. I bet they just used an ORM in the backed and then pointed the API endpoint to the user entity without filtering the fields. This results in a dump of the user table (although row by row indexed by users instead of a full dump)

      • snooggums@kbin.social
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        Ahhhh, I was.wondering why they would take the time to set up an API with that data and forgot that almost everything has a way to just dump things into it without needing to be set. I forget because where I work we actively avoid that approach because of risks like this.

  • shortwavesurfer
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    Oh dear, I had heard of this hack before, but I had not seen it laid out like this. Oh dear god, that’s bad.