83
How Spoutible’s Leaky API Spurted out a Deluge of Personal Data (www.troyhunt.com)
submitted 7 months ago by stopthatgirl7@kbin.social to c/technology@lemmy.world
7 comments fedilink hide all child comments

Ever hear one of those stories where as it unravels, you lean in ever closer and mutter “No way! No way! NO WAY!” This one, as far as infosec stories go, had me leaning and muttering like never before. Here goes: Last week, someone reached out to me with what

top 7 comments
sorted by: hot top controversial new old
[-] Chozo@kbin.social 8 points 7 months ago

This is a really awesome article that explains the technical aspects in a way that makes sense to non-coders, without having to over simplify. I feel like this sort of writing should be much more appreciated. Also, the graphic at the top has no business being that good, this whole piece is a banger.

[-] InEnduringGrowStrong@sh.itjust.works 7 points 7 months ago

That's so over the top bad it's almost ridiculous

[-] Psaldorn@lemmy.world 6 points 7 months ago* (last edited 7 months ago)

They might as well just publish the database credentials in the API too, jeez

[-] elvith@feddit.de 5 points 7 months ago

They basically did. I bet they just used an ORM in the backed and then pointed the API endpoint to the user entity without filtering the fields. This results in a dump of the user table (although row by row indexed by users instead of a full dump)

[-] snooggums@kbin.social 2 points 7 months ago

Ahhhh, I was.wondering why they would take the time to set up an API with that data and forgot that almost everything has a way to just dump things into it without needing to be set. I forget because where I work we actively avoid that approach because of risks like this.

[-] shortwavesurfer@monero.town 2 points 7 months ago

Oh dear, I had heard of this hack before, but I had not seen it laid out like this. Oh dear god, that's bad.

[-] Blackmist@feddit.uk 1 points 7 months ago

Buy code on Fiverr, get code on Fiverr.

this post was submitted on 13 Feb 2024
83 points (98.8% liked)

Technology

58063 readers
3468 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world