Comment by ryandrake
8 days ago
I've been so lucky throughout my career to have almost entirely worked with competent and smart developers. I've always wondered what a conversation with one of these other ones is like, after a production site is found to use 123456/123456 as credentials. "Hey, Mike, we just had someone in the public notice that our admin interface could be accessed by anyone with default credentials. You're the manager on this project. How did this happen?" I would love to be a fly on the wall for that conversation, or read the postmortem. How does this kind of configuration even make it past code review, let alone staging and production?
"We outsourced it to the 3rd world cuz it costs 20 bucks a week to hire a "certified" sysadmin there"
You want data of any Large corp in the US - fly to well known outsourcing destinations. Stand outside the gate of their "global delivery centers". Hand out cash. Get access to whatever you want.
But the main thing to understand here in 2025 is that getting access to/monetizing user data has become so normalized, that you could legally just go to McD Biz Dev (or which ever other large corp) and say - hey guys I have this algo that can add 2 bucks of revenue per user per quarter (throw in a - just look at Meta they extract 70 bucks out of their American users and atleast 12 bucks out of everyone else per quarter just using the personal data). To test my algo, I need access to your DB. Your competitor has already given me access to theirs for testing.
What is corporate robot going to do?
They will hand you the data.
It's rarely as simple as actually exposing something as a decision. Scope changes, access rules change, multiple systems interact in interesting ways, access configuration lives in a different place than the app, etc. You're implying that it wouldn't happen with competent developers, but I guarantee it does - just wait a bit longer and let the systems grow. The Swiss cheese will get everyone given enough time.
> How does this kind of configuration even make it past code review
that's the secret - there is none
It's config not code - and a demo interface is a nice thing to have. The cross account read, however...
”Well you see, that work was outsourced to a team where none of the implementing developers are still present, our auditors and pen testers both signed off on it, and anyway we’ve got cyber insurance to cover the fallout.”