Is this a red flag? lol

we have an admin account set up on our websites for live testing. logging in as an admin gives you a control panel at the bottom of the screen where you can enter a user's ID to know their email address, real name, DOB, as well as a DELETE request for their profile.

so, i wanted to log in as an admin to test something: i entered the password wrong and I knew i entered it wrong, but muscle memory made me hit the enter button before i could think. to my surprise, it logged me in. tested it again, again i logged in. tested it just by putting in "admin" to the username box and pressing enter - again, it let me in.

I pull our back end server from heroku (offline version nowhere to be found on our local computers) and find pic related in our jsonwebtoken middleware file. our routes have an if statement that detects req.body.username = admin and just sends back unprotected versions of our admin GET/DELETE routes with no further verification whatsoever.

the name that i blurred out from the pic isn't even my name, but the name of the pajeet who just got fired before me. so our server's have been unprotected for 2+ years with no one noticing.

Attached: Capture.png (1425x726, 52K)

run

Reach out to IT and see if they have a security/incident response team; try to meet in person
Have a clear explanation of what the danger is & be willing to escalate if they're lazy

>posting this in Jow Forums of all places
You know what to do fuccboi

Attached: 1525716791467.gif (720x846, 877K)

fucker probably got assmad because he was being replaced and fucked everything up on his way out

link the website

if my x-raying skills are still good, I think the URL is:
authorization.js

that's a javascript file dumbass

Keep it quite desu. Nothing good ever comes from trying to fix security issues.

Attached: zend.jpg (807x349, 67K)

Oh boy... This is a joke right?

I refuse to believe anyone could be this incompetent. If you can write an if statement to check username = admin, you can write another that checks the password in less time than it takes to type out that comment. I mean even if your too retarded to use a hash function a plaintext password will do, just copy/paste the existing line. The fact that this person knew this was happening and did nothing or even let anyone know is.... mindboggling. There are a hundred different things they could've done to resolve this.

Tell us the websites or you're a faggot

I hope it's this

>I refuse to believe anyone could be this incompetent.

> t. I've never worked with a developer

I had to install Filezilla for one of the guys on my team because he's incapable of doing it himself and apparently he's also incapable of using git or any other method of getting files on a server.

>using multiple single-line comments as opposed to one multi-line comment
I see why he got fired.

desu my editor automatically does that

how did he get hired?

wew you are dumb
his x-ray skills are so advanced it can't even see html

/*
* OP is a
* fag
*/

anything else and you might as well give up

>x-raying skills
troll

Sounds more like he did it intentionally

autist