|
I've got two. The first one is a bit older, from around 2015. It was a small platform that did have a Java Web Start app for some features. It downloaded an app, where you were automatically logged in. However, when downloading it, I noticed that there was no secret or anything transferred, just your username. Turns out, the downloaded application contained a database connection string with full owner rights. As far as I know, that was never fixed. The second one was a bit more severe, and happened just last year. At our company, we're using a service to host private package feeds for some libraries we're selling. Users get their own account, and usually use an API key authentication to get the packages.
However, we've discovered that one client, although a paying customer, didn't have proper rights assigned to their account. After contacting them, it turned out they could access everything just fine, and never noticed a problem. They did have their own user account, along with their own API key. However, for the actual authentication, they used _their_ API key with _my_ account name, and that worked.
The service was first checking if the API key was a valid one (which it was, for some account without any access rights), and then checked if the user did have access (which it did). But there was no check whether the API key actually belonged to the user account. So, with publicly available information (account names) and a free account to generate API keys, you could essentially access any private packages you wanted.
That one was a bit more scary, and took half a year and multiple emails to finally get resolved. |