Comment by Natsu
6 days ago
123456 was both the username & password, they were hit by CWE-1392 because someone failed to change the default credentials.
6 days ago
123456 was both the username & password, they were hit by CWE-1392 because someone failed to change the default credentials.
The writeup never claimed that 123456:123456 were default credentials?
I've read more than just this particular writeup. See also: https://ian.sh/mcdonalds
> During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted. Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants.