| Somehow I managed to land my first programming job in the most stereotypical means possible. I had connected with this young startup through my budding network. I was young, they were young, and we were both involved in TeensInTech (formerly a community of teens interested in startups). I had done a couple rounds of UI/UX feedback for them, that they had requested via TinT. The company made a password & bookmark manager (not one of the ones that is available today. They want out of business). One day they launched a major website overhaul. Excitedly, I went to their website to play around with it. Purely by chance, I fat fingered my password as I was entering it in. The login failed, obviously, but I was surprised to see that the password input on the failed login page was now filled with a mysterious looking hash. My assumption was that was my hashed password. This spurred me to open my dev tools and look at the network requests to figure out what was going on. It turned out that their new website was powered by a new API which hadn't really been hardened at all. Within about an hour I was able to find an endpoint that allowed me to enumerate all of the users on their site, and another endpoint that returned a user's stored authentication details (hashed passwords, full usernames & URLs). I wrote a few lines of javascript that looped through all of the users, and fearfully received a dump of their entire credentials table. Obviously that is bad bad bad. I sent them an email explaining the issue. Their website was promptly taken offline, hardened, and then I received a job offer. tl;dr; I hacked my first employer's website, and they offered me a job for it. |
That's extremely bizarre.