JFL The hilarious security failures at my company

[AsiaCel]

As a developer, you know what are vulnerable and what aren't, and my company is hilariously vulnerable.

We are a very small team.

For OPSEC reasons, the details are replaced with fictional but similar details to the real details.

1. We use a universal superadmin account across all apps.

The account is used across all apps, and the password is hilariously easy, too.

The superadmin account is called Company2. It's password is Company2-123.

2. Company rebranding = password rebranding

One of the epic fails. When the company rebranded from company1 to company2, we rebranded the account, which is not an big issue in itself, but we also rebranded the password from Company1-123 to Company2-123. I think the boss really hates the old name.

3. There are two sets of admin passwords

Company2-123 and Company2-456+

Not joking. One is for database, and another one is for account.

4. The configs are exposed on the git

On almost every project you find on the Git, you can check the app settings.json, and you can see all sorts of API keys, IPs, and even the database connection string. Unsurprisingly, most of the apps have the same database password: Company2-123.

Not only that, but also AWS and other service details too.

5. The APIs are barely secured

If you check the APIs, most of the APIs, even the ones that literally send you the user list (full name, email, phone numbers, user certificates, but not passwords), are not secured. As long as you are a user, you have a session, you can call the API with no permission restrictions.

Literally all you have to do is to press F12, Ctrl+R, and guess the endpoint name, like company2.com/getallusers.

6. Everyone in the office knows the passwords

Everyone from support staff to developers knows the passwords.

7. Developers rely on shared emails

Developers rely on a network of shared emails, like [email protected], making it impossible to see who did what.

8. There are no backups

There are no database backups for the servers. If the servers died or got hacked, the best data they have are going to be years ago backups. The only 'backup' they do is logging and git version control.

9. The admin panel

Interestingly, they were interested in a universal admin app, which I made; the app is secure, but nothing can stop people with a password from getting in. The system is so good that it's actually easy to wreck havoc on a large scale, in multiple apps, but that's not my fault.

10. The iPads have the same passwords

The iPads offered for internal development use have the same passwords and similar usernames. Can you imagine if the management gave guests an ipad to play with?

 

[GobidMujahid]

The more I hear about your workplace, the more I wonder why it has not gone under yet.

 

[AsiaCel]

The more I hear about your workplace, the more I wonder why it has not gone under yet.

Because it functions nicely on the surface.

Everything works, the customer support is responsive (devs answer directly to customers), we can speak and understand English, and our devs are screamed at by pissed off customers.

Our portfoilo is sophisticated and well featured; they are literally trusted by European govts lmao.

But security is zero, and if anyone actually cared enough to hack, it will be super easy.

 

[AsiaCel]

Edit: The best part is that, for point 5, some APIs actually have permission checking.

But the permission checking is just:

If non superadmin
Users = Users where users are not superadmin.

The super admins don't even have phone numbers or emails set to them.

It's so bad that on some of the apps, you can enter the admin panel using a regular account, edit yourself or other users, by simply replacing the website address with company2.com/admin (yes I tried with a test account with regular rank lmao)

They actually locked down the super admin, so if you're not a super admin, you can't set anyone to superadmin, but you can set yourself to senior admin.

 

[AsiaCel]

Edit: The best part is that, for point 5, some APIs actually have permission checking.

But the permission checking is just:

If non superadmin
Users = Users where users are not superadmin.

The super admins don't even have phone numbers or emails set to them.

It's so bad that on some of the apps, you can enter the admin panel using a regular account, edit yourself or other users, by simply replacing the website address with company2.com/admin (yes I tried with a test account with regular rank lmao)

They actually locked down the super admin, so if you're not a super admin, you can't set anyone to superadmin, but you can set yourself to senior admin.

Disclaimer: the URL changing thing was done using a testing environment.

That does not change the fact that testing accounts can reach up to 50% of total accounts in production, which is a safety hazard lmao.

I avoid dealing with production database due to legal reasons, but like I said, developers double as customer support and sometimes have to edit data one by one, because some clowns forgotten their password or needs to update a email and are too retarded to click some buttons.

I think techanically these implementations fail GDPR, but in politics, watching the wind is more important than strict compliance to the letter (most companies fail this). Politicians don't have incentives to cause shit because it will backlash on them too for using bad software, just treat it as a pocket law — everyone techanically violates GDPR anyway. They only enforce it when the cost of enforcement is worth it and makes EU govts look good.

 

[Lunaticcurrycel]

Disclaimer: the URL changing thing was done using a testing environment.

That does not change the fact that testing accounts can reach up to 50% of total accounts in production, which is a safety hazard lmao.

I avoid dealing with production database due to legal reasons, but like I said, developers double as customer support and sometimes have to edit data one by one, because some clowns forgotten their password or needs to update a email and are too retarded to click some buttons.

Brutal 1 reply pill

 

[Lunaticcurrycel]

YK what I was about to take btech cse in college but after reading your posts I changed my mind. I thought I would make loads of money and ascend become developed Google ai recommended this course to me jfl. I was gonna pursue it through Amity University noida

 

[Pancakecel]

Because it functions nicely on the surface.

Everything works, the customer support is responsive (devs answer directly to customers), we can speak and understand English, and our devs are screamed at by pissed off customers.

Our portfoilo is sophisticated and well featured; they are literally trusted by European govts lmao.

But security is zero, and if anyone actually cared enough to hack, it will be super easy.

Do your company not go through any security audits, to check for vulnerabilities, like the ones you've mentioned?

 

[Yabadadabadoo]

Sell this information to a bunch of Eastern Uropean scammers

 

[nazianime]

JFL, don’t even cover the basics of security. Like shit man, you should never have to use super admin except when rolling out major updates.

 

[SmhChan]

The configs are exposed on the git

ovER.

 

[AsiaCel]

Do your company not go through any security audits, to check for vulnerabilities, like the ones you've mentioned?

Not really. Devs do their own testings, and many of the frameworks are old.

The poor architecture design of cramping many differing features into one function also do not help.

It's a small company.

 

[AsiaCel]

JFL, don’t even cover the basics of security. Like shit man, you should never have to use super admin except when rolling out major updates.

What's even funner is that there is a universal account to do everything. It's called Company2 (fake name) and used by anyone from support staff fixing a minor ticket, to developers testing on production.

I think we got DDOSED once too, just fucking lol.

 

[AsiaCel]

What's even funner is that there is a universal account to do everything. It's called Company2 (fake name) and used by anyone from support staff fixing a minor ticket, to developers testing on production.

I think we got DDOSED once too, just fucking lol.

What's even sadder and funny is that lots of these apps are data management tools, used by governments and businesses.

There are about 20 apps and all of them are highly specialized, while 12/20 are standard web apps, some of them are made in wildly different frameworks in different domains and high risk (I'm the guy that started the specialized apps from ground up and only one who knows how to work on them) with multiple servers among most apps to manage: testing and production for multiple regions (each has slightly different reqs)

The core dev is just few guys, with support staff of similar size.

 

[nuclear powered]

You say its vulnerable but what someone could actually do if they were to hack this company?.

 

[Retardfuel]

Lifefuel for scammers

 

[AsiaCel]

You say its vulnerable but what someone could actually do if they were to hack this company?.

Stealing data etc

 

[AsiaCel]

Lifefuel for scammers

The best thing is that the frontend protections in the admin page don't even work.

They attempted to disable the confirm button for anyone below senior admin, but you can literally press it as a regular user without inspecting the page.

 

[Emba]

I'm in bro!

The btc is on you're paper wallet

 

[AsiaCel]

Update:

This one is kinda my fault.

Did I mentioned the Google Play apps? Yes, the company apps all have the Company main account credentials hardcoded into the code memory. In the earlier versions on Google Play, the details were automatically entered when you enter the login page regardless of whether you are on release or debug version.

On the later version, I added a debug tag, but still embedded into the memory.

I only figured out how to fix one of the apps (which use different versions of frameworks, spanning Kotlin and Java)

The funny thing is that the old versions of these apps (with auto enter) are all archived on the likes of ApkPure and HappyMod, despite single digit downloads.

 

[AsiaCel]

Update 2:

Because the dev servers lots of real data, when the team tested my emailing function on the server, they actually sent about 500 emails to real people, with fake operational data (duh it's a test server). They had to phone people about it telling them it's a malfunction lmao.

 

[AsiaCel]

Update 3:

The phone number taped on paper in our office was found to be hijacked by scammers and used to send out scams. It even has the company name! The support staff joked about "at least the boss's name isn't here!"

Of course, dealing with the police, court, and HR stuff is also done by single customer support guy

The company is making him edit HTML and JavaScript nowadays kek.

Update 4:

They got the customer support woman to do 3d modeling besides just testing and HR. She also does video editings and arts, and possibly more.

Update 5:

Some support staff also maintain the office (ladders, negotiating with the landlord company) maintain the office (closing lights, emptying garbage bins, buying snacks), support the customers on business trips.

Update 6:

Yes, the dev teams do more than dev work. They set up the servers, maintain them, translate strings, do image editing in GIMP, set up firewall, set up deployment, technical writing, etc. Almost everything on the apps other than the video editing or 3d modeling is done by the devs themselves.

Because of the nature of the applications, developers frequently travel and hike to the actual sites (these are hazardous sites) carrying ipads, laptops, and other equipment (full of mosquitoes in the tropical heat, no toilet and drinks/snacks) to debug there or set up stuff.

 

[AsiaCel]

Update 7: One of the government domain actually blocked the internet of the company because it detected "attack" or "ddos" activity, so the devs need a VPN to do maintenance on the server. Not sure if it has anything to do with the shit security. Nothing can be done without the senior dev who set up everything networking related and diplomacy related work.

The devs actually laugh at this absurdity and saying "we blocked ourselves".

 

[AsiaCel]

Update 8:

It doesn't help that the company's new apps may have better (more modern) architecture and security design (albeit still have the same super admin), but in exchange, every time adding a single new feature is a nightmare.

You can see why security is totally neglected.

- Day night theme (some non used elements have to be added via CSS)
- Every new text is translated into multiple languages (which we speak)
- Day and night modes
- Multiple types of map frameworks, with many tilesets and their quirks (oh god, good luck getting 百度 and 高德地图 maps to work together, let alone with international coordinate data for the international frameworks)
- Did I talked about maps again? They have almost every map in existence on our apps, usually 2-4 map frameworks per app. Every map you can name, they have it in different versions across different platforms (M*pbox, Gmap, 高德地图, Baidu, C*sium JS and 3D, ArcG*is, M*pLibre, A*ple, O*enLayers, T*ncent, NOT ALL etc)
- Privilege mapping, with a few different privilege powers like delete, get, export pdf, export msword, etc)
- Accounting for the tenant feature (which no one does, everyone just IgnoreQueryfilters)
- Live and real time notifications
- There are more

 

[AsiaCel]

Update 9:

Not opsec failure, but a massive morale killer. 1/3 HVAC has been broken for months, you are stuck between sweating and not sweating at the same time. It's sleepy and tiring in the humid tropical weather.

 

[PEENO08]

How do you find motivation to work as a chink?

 

[AsiaCel]

How do you find motivation to work as a chink?

Update 10: I don't find motivation to work, especially when they severely unpay the people there. I used to earn 48k usd a year and now 30k usd a year. The market has gone down the gutter. I first entered the industry in 2022, laid off in 2023, and got hired again in 2024.

The market has shit itself over and over (90% demand for dev jobs wiped out); my former contractor actually offered me less $$$ after years, for a more senior position!!

I wanted 25k usd just to have a normal smile and not for my upper jawbone to shrink itself after pulling multiple upper teeth.

Guess that's too much to ask for.

(I put update tags as a psuedo diary thing)

 

[AsiaCel]

Update 11:

Colleagues, including myself, spend the days watching videos and playing on their phones. Some colleagues arrive at inconsistent times, like being later or earlier.

Deployment is highly fragmented. The company uses different CI/CD methods like SVN, git, azure.

The hosts range from self hosting (server room) to AWS, to Azure, to customer-hosted. I think there are more hosts too.

Thankfully most modern apps have click-deployment, with older apps relying hand deployment via using a slow ass proxy, going inside the server, backup files, stop the app and services, then drag your zip into it, then restart the app.

They also set up a Jira system which no one uses but the senior because the company says we are "testing" modern shiny things. All of these are performative and pointless, because the orders and debates are given verbally within the office.

The way I debate is to let the colleagues know how stupid a feature and how difficult it is.

Anyway, you can see the obvious signs of AI generated code in the commits; sideways comments (Gemini), emojis, etc, on code comments. Even I use slop code because context switching is too much.

Also noteworthy is the employee list; most of them were only hired in 2024-2025.

 

[AsiaCel]

Update 12:

They brought the shit app to a higher education insitution to teach people about flying Dr*nes.

This is more horrifying than the crash-prone unreal VR thing shown in conferences.

Im geniunely surprised that my Dr*ne D*I SDK V4/5 apps worked (I maintain both), with the only complaint being lagging after 15 minutes. It generates few new DTOs every second, when the mission is over, it outputs these DTO to upload a excel file online.

Lots of features in these apps are forced, listeners on top of listeners. A noteworthy custom return to first waypoint feature literally pause and wipes the mission, create a mission with the first waypoint waypoint, with a second waypoint on top of it (because the SDK doesn't allow 1 waypoint missions), used for after the drone detected it staying in custom geofenced XY (LatLng) after few secs.

These are the apps I'm geniunely worried about because there was no time to test edge cases.

 

[AsiaCel]

@Animecel2D

Can you please move my thread to the bunker? Just in case.

 

[orthodox]

geniuscel mogging only high iq works in cybersec

 

[AsiaCel]

@Animecel2D bro can you put this on bunker

 

[Animecel2D]

@Animecel2D bro can you put this on bunker

Last time you asked me to move a thread I'm certain I told you I wasn't a mod. My name colour is purely superficial, I have no mod powers

if you want your thread moved ask one of these guys who are actual mods https://incels.is/members/?key=staff_members