Industry

Database security vulnerabilities are the craziest

Dec
Dec2 min read
Database security vulnerabilities are the craziest

Lately, a Post in r/ExperiencedDevs community of reddit, named What are some of the craziest security vulnerabilities you've uncovered?, raised hundreds of sad stories, among which are several tragedies about database. Let's laugh at some of them.

Stories

The first story tells about a security breach that exposes core permissions like admin access, free account creation and even credit card information. The worst thing is, still nobody cared even after the narrater revealed problem. But this narrater was sweet. He patched all errors.

story-one

Then there's this API endpoint causing the PII leakage of almost half the entire population of Australia. Information got ocumented. Then completely publically promoted on Postman cloud community.

story-two

In this Java webapp, using asterisk would match with all users including admin, thus creating a privileged session that syncs EVERY operation among ALL users.

story-three

During the Ethereum ICO craze, an "SEC approved" ICO claiming to be open source, had one database seed file listing raw email addresses of admin accounts, as well as a file with authentication logic, accessible to public. The narrater manually transferred the token balance of a random account to 0x0 and it reflected on chain.

story-four

Summary

It's been a headache that data leakage, permission mis-assignment, accidental database operations are always appearing. We can tell that those stories above and all other accidents share same carelessness, but sometimes stupid things still unavoidably happens.

Maybe it suggests that, standardizing database operation process remains a necessity. With a DevSecOps tool, things would be much easier, safer and more organized.

Jointhe community

At Bytebase, we believe in the power of collaboration and open communication, and we have a number of communities that you can join to connect with other like-minded.

Subscribe to Newsletter

By subscribing, you agree with Bytebase's Terms of Service and Privacy Policy.