So I worked on the company maintaining multiple apps, now add another.
The management was pushing us and forcing us to use AI to deliver code fast; the management uses AI to threat the devs to make them 'innovate'..boring shit like security right can be ignored yes? Devs are expected to be creative and flexible, design how the program works, leaving the boring stuff to AI.
I hardcoded the admin accounts into the code, without debug mode limitations for months!
That means users could access the admin account (thankfully the password is censored but that won't help if you get the memory)!
The account was auto filled too, so it means you can just click login and enter the app as admin.
I didn't knew about these vulnerabilities much when I was just returning to Android apps, plus the complexity of making it into an app bundle and annoying API shit (fuck you google maps for forcing me to use fingerprints)
It was when I finally checked the login function, I made it so the code is never added on production builds....I hope.
It's a small app, but it doesn't justify poor security.
Even more fun facts:
Many apps in the company straight up expose username/password with the POST APIs, solely relying on HTTPS to encrypt the data without even basic symmetrical encryption while using query params (putting username and password in URL)
Hey, at least my APIs have AES256 symmetrical encryption.
Many GET APIs are exposed (if you know the name, like GetListUsers; not exactly name) without credential check (meaning a low tier guest user can get the full list of users, in some old APIs you could even get the salt placed near the password)
My APIs used to have strict account, privilege checks, but I stopped caring because the new account DTO models do not expose passwords, basically following everyone else.
EF Core is also secure enough that you can't get items without the same tenant id as yours anyway.
But the most vulnerable APIs are not mine, so who cares?
I have warned others before, they just said: "eh won't happen". Now I agree with them — I'm one of them now.
They don't pay me enough to audit everyone's code and fix them.
I work, counting transportation, from 7:30am to 7:30pm. The density and mindfuckery of work really stresses you out (I'm always put to work on the flashy shit)
The management was pushing us and forcing us to use AI to deliver code fast; the management uses AI to threat the devs to make them 'innovate'..boring shit like security right can be ignored yes? Devs are expected to be creative and flexible, design how the program works, leaving the boring stuff to AI.
I hardcoded the admin accounts into the code, without debug mode limitations for months!
That means users could access the admin account (thankfully the password is censored but that won't help if you get the memory)!
The account was auto filled too, so it means you can just click login and enter the app as admin.
I didn't knew about these vulnerabilities much when I was just returning to Android apps, plus the complexity of making it into an app bundle and annoying API shit (fuck you google maps for forcing me to use fingerprints)
It was when I finally checked the login function, I made it so the code is never added on production builds....I hope.
It's a small app, but it doesn't justify poor security.
Even more fun facts:
Many apps in the company straight up expose username/password with the POST APIs, solely relying on HTTPS to encrypt the data without even basic symmetrical encryption while using query params (putting username and password in URL)
Hey, at least my APIs have AES256 symmetrical encryption.
Many GET APIs are exposed (if you know the name, like GetListUsers; not exactly name) without credential check (meaning a low tier guest user can get the full list of users, in some old APIs you could even get the salt placed near the password)
My APIs used to have strict account, privilege checks, but I stopped caring because the new account DTO models do not expose passwords, basically following everyone else.
EF Core is also secure enough that you can't get items without the same tenant id as yours anyway.
But the most vulnerable APIs are not mine, so who cares?
I have warned others before, they just said: "eh won't happen". Now I agree with them — I'm one of them now.
They don't pay me enough to audit everyone's code and fix them.
I work, counting transportation, from 7:30am to 7:30pm. The density and mindfuckery of work really stresses you out (I'm always put to work on the flashy shit)
Last edited:
