How does another leaky API story help you and your team?

🙋 Questions
, , , ,
1

Here’s another leaky API story.

Stories like this always make me think about how teams can build with these security risks in mind.

  1. How does your team use real-life incidents to reflect on their existing Info Sec & Testing processes?
  2. What does your production incident and comms process look like? And how often is it reviewed?

Hopefully more exposure from the likes of Troy Hunt and more will continue to amplify the importance of building with risks in mind.

6 Likes
2

During my 14 years at Pfizer, I once reviewed an iOS app built for us by a low-cost off-shored development shop. I proxied the app through Fiddler, watched the requests and found an API that was returning every user record in the system and for each user, their corresponding password in plain text. When quizzing the developers about this design decision, their response was - and I kid you not, this isn’t made up - “don’t worry, our users don’t use Fiddler” :man_facepalming:

:skull_and_crossbones: :skull_and_crossbones: :skull_and_crossbones: :skull_and_crossbones:

3

Do not press F12, you may/will be breaking the law.
Am amazed that they are not required to post breach notices on their signup and login web pages.