This might be the first time I felt disappointed and sad reading an article like this. The commented username and password felt like something from an early 2000s tv show with the tech guy doing “hacking”.
Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.
This may look "boring" or "uninspired" but this is what real cybersecurity and "hacking" looks like.
In most cases, security and QA are essentially two sides of the same coin - and this is why I get pissed when devs treat testing and QA as bulls**t, becuase even a relatively simple XSS attack or cred misconfig can have a massive impact.
This has nothing to do with testing. This is a lack of training.
I would say they need to 'think like an attacker' at least some of the time. But this is still too high of a bar.
I think this is really a problem of rewarding people when they finish things. One way or the other. It works, so on to the next project...
> This has nothing to do with testing.
A good QA can catch/test such security issues although most of such work is given to a dedicated pen tester to find weakness in the platform.
As someone who has been a SWE, PM, and VC in the cybersecurity space and constantly meets with CISOs as well as has formerly been a security practitioner (I should get back to using HackerOne again for fun), I can safely say that the overwhelming majority of security incidents are due to some form of misconfig because development and code review are orthogonal to proactive security checks.
Shift-left was supposed to fix that but it failed because the primary persona to sell ended up becoming the CISO again, and not trying to find a way to make security ownership a Dev and QA responsibility as well (this is largely organizational).