we have an admin account set up on our websites for live testing. logging in as an admin gives you a control panel at the bottom of the screen where you can enter a user's ID to know their email address, real name, DOB, as well as a DELETE request for their profile.
so, i wanted to log in as an admin to test something: i entered the password wrong and I knew i entered it wrong, but muscle memory made me hit the enter button before i could think. to my surprise, it logged me in. tested it again, again i logged in. tested it just by putting in "admin" to the username box and pressing enter - again, it let me in.
I pull our back end server from heroku (offline version nowhere to be found on our local computers) and find pic related in our jsonwebtoken middleware file. our routes have an if statement that detects req.body.username = admin and just sends back unprotected versions of our admin GET/DELETE routes with no further verification whatsoever.
the name that i blurred out from the pic isn't even my name, but the name of the pajeet who just got fired before me. so our server's have been unprotected for 2+ years with no one noticing.
Reach out to IT and see if they have a security/incident response team; try to meet in person Have a clear explanation of what the danger is & be willing to escalate if they're lazy
Easton Clark
>posting this in Jow Forums of all places You know what to do fuccboi
I refuse to believe anyone could be this incompetent. If you can write an if statement to check username = admin, you can write another that checks the password in less time than it takes to type out that comment. I mean even if your too retarded to use a hash function a plaintext password will do, just copy/paste the existing line. The fact that this person knew this was happening and did nothing or even let anyone know is.... mindboggling. There are a hundred different things they could've done to resolve this.
Carter Jackson
Tell us the websites or you're a faggot
Jaxson Evans
I hope it's this
Dylan Morgan
>I refuse to believe anyone could be this incompetent.
> t. I've never worked with a developer
I had to install Filezilla for one of the guys on my team because he's incapable of doing it himself and apparently he's also incapable of using git or any other method of getting files on a server.
Aaron Diaz
>using multiple single-line comments as opposed to one multi-line comment I see why he got fired.
Isaiah Thompson
desu my editor automatically does that
Cooper Taylor
how did he get hired?
Parker Torres
wew you are dumb his x-ray skills are so advanced it can't even see html