Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "everywhere credentials"
-
Dev gets hold of me, says my service is down in QA. Works if he hits it locally, works via Postman, but via the QA app server it gives a 401.
I’m like, look, if it works everywhere else, there’s something wrong on your side in QA.
He insists, no, I must help him, and begins CCing all the managers telling them this system has been down for days.
So I eventually climb into his system, check the credentials they’re using in the QA environment, and sure enough, the password is wrong.6 -
I had security reopen our test-user last week. I could run the tests once, then they started failing with "blocked user due to too many attempts at logging in". Huh, that's weird. I go through everything, every script, every scheduled task, every nook and cranny of every drive on every machine I could reach, and make sure the password is updated everywhere. Reopen account. Same shit.
I email around to some people, they don't use it, one guy asks if I checked x, y and z, I did. Then he's sure we don't use it anywhere else.
It's one of our fucking contractors that took one of our scripts (that they're supposed to have duplicate copies of) and forgot to change to their own credentials. That's literally the agreement, take our scripts and change the user and run them on your machines.
Afhfjdkdhdjdbd stop locking me out of everything with your incompetence. I email them, some cunt gets back to me asking for the new password. NO. USE. YOUR. OWN. CREDENTIALS. I KNOW YOU HAVE THEM, THEY'RE HERE IN THE LIST AND BEING USED IN ALL OTHER SCRIPTS AAAAAAAAAHHH6 -
This is the last part of the series
(3 of 3) Credentials everywhere; like literally.
I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.
This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.
However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.
So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.
The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.1 -
I fucking hate web development and fuckton of issues it has. Laravel library not found despite the files exists and composer loaded it in the autoloader, fix: create a config file for the lib, why? Because magic. The code cannot find the provider class without it....
Next, try out smtp mail. Works everywhere, but not with the live smtp server. Fails with Invalid recipients error. 2 hours later, with half of my hair torn out I finally figured out. Can you guess?
Credentials and settings are correct, recipients are also correct. The fucking from address parameter was the culprit because you cannot send emails on behalf another address, logical but fuck that error message. Why is it that hard to respond with an understandable response?2