15 comments

[ 2.9 ms ] story [ 33.8 ms ] thread
Incredible! That’s the combination to my matched luggage!
It sounds like there were two separate problems:

The first was that 123456 was the credentials for the admin panel.

The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.

Wait, 64 million applicants, not applications? That's like 20% of the US population!
Please stop giving OpenAI ideas on where to find and download more data!

$ Downloading 64M transcripts...

It's funny how mcdonalds did everything in their power to make it almost impossible to run their mcdonalds app on a rooted phone, but their backend infrastructure is beyond broken (security wise)
Wait, sixty-four MILLION people actually wanted to work there?

Are they counting everybody since 1954?

That’s the default pin for iPhones too.
This is what happens when "Minimum Viable Product" meets modern threat environments.

'Move fast and break things' indeed.

Stupid question, if we really tried brute forcing websites with less than 100k monthly traffic, how many such cases would be actually run into?
There was also https://www.techspot.com/news/108619-mcdonalds.html

> Moreover, when Carroll attempted to alert Paradox to the breach, he was unable to find a security disclosure contact. The company's security page mostly consists of a simple assurance that users shouldn't need to worry about security. Eventually, after the researchers emailed "random people," Paradox and McDonald's confirmed that they resolved the issue in early July.

Shouldn't need to worry indeed. McDonald's evidently doesn't either.

Can someone tell them to put "Set a password a five-year-old child can't guess" onto their deployment checklist?