|
|
|
|
|
|
by evilDagmar
873 days ago
|
|
|
> And if you went somewhere you're not supposed to and found out it's a master key by trying it in those places you're not supposed to access, you'd be accused of trespass. Hard no. That analogy fails because all the contractor needed to type was `SHOW DATABASES` which would be the same as looking around and seeing everyone else's stuff just sitting around in piles, completely unsecured. If you rented a storage room and the place was so lazy as to use one key for all the doors, that would be one thing, but in this case the storage facility used the same key for all the doors and also completely lacked interior walls to separate people's stuff into individual rooms. |
|
|
No, what the contractor needed to do was extract those credentials, create a manual connection and manually execute arbitrary queries. Not one of these three steps is part of how the database was meant to be used (i.e. specifically through the use of the software).
Also, again: I'm not arguing that the company's security practices were in any way acceptable. But that doesn't mean what the contractor did was in any way authorized behavior. That you can doesn't mean you're allowed to.