|
|
|
|
|
|
by hnbad
880 days ago
|
|
|
> That analogy fails because all the contractor needed to type was `SHOW DATABASES` No, what the contractor needed to do was extract those credentials, create a manual connection and manually execute arbitrary queries. Not one of these three steps is part of how the database was meant to be used (i.e. specifically through the use of the software). Also, again: I'm not arguing that the company's security practices were in any way acceptable. But that doesn't mean what the contractor did was in any way authorized behavior. That you can doesn't mean you're allowed to. |
|
|