> Some unit test is not behaving well in my local environment
> Weird, I should print the response from the server, maybe the client isn't receiving what I think it's receiving
> see this


  • 3
    Folks don't think cyber security
    And this bugs me
  • 1
    @ChristoPy Folks don't think in general :|
  • 1
    Sike! That's the wrong number!
  • 4
    Let me make sure I have this right. You're saying that the server is responding back to the user with the actual Password in the payload!?
  • 1
    this is what my manager suggested to do instead of oauth because that sounds much more complicated
  • 6

    I would take production down, immediately, and keep it down until that was fixed. And afterwards, I would schedule mandatory security training for devs, QA, and management. And probably start sharing news about security breaches every few days in a slack channel to keep the threat of a breach fresh in their minds.

    I have no chill when it comes to security.
  • 1
    @iSwimInTheC The plain password. I didn't even know it was stored; back when I looked, it saved some base64 encode of the SHA, or something like that -not the best practice, but still theorically secure; the system was created before bcrypt was a thing, so it makes sense.
  • 0
    I think I’m missing something
    It’s sending the password and login and email back to the browser ?
  • 0
    @lesbianmilitia it's storing the password as plain text (bruh?!?!?) and it's sending the clear credentials back to any client on a following request (BRUH?!?!??!?)
Add Comment