this post was submitted on 30 Mar 2025
410 points (98.6% liked)
Technology
68130 readers
3792 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
So the devs were inexperienced in secure architectures and put a bunch of stuff on the client which should probably have been on the server side. This leaves anyone open to just use their API to access every picture they have on their servers. They then made multiple dating apps with this faulty infrastructure by copy-pasting it everywhere.
I hope they are registered in a country with strong data privacy laws, so they have to feel the consequences of their mismanagement
Do you reckon this app could have been vibecoded/a product of AI? Or massive use of AI in development? I'd know not to do this as a teenager when I was beginning to tinker with making apps, nevermind an actual business.
I know for a fact that a lot of applications made these mistakes before AI was around so while AI is a possibility it is absolutely not necessary.
I had a test engineer demand an admin password be admin/admin in production. I said absolutely not and had one of my team members change it to a 64-character password generated in a password manager. Dumbass immediately logs in and changes it to admin again. We found out when part of the pipeline broke.
So, we generated another new one, and he immediately changed it back to admin again. We were waiting for it the second time and immediately called him out on the next stand-up. He said he needs it to be admin so he doesn't have to change his scripts. picard_facepalm.jpg
How is he not fired? Incompetence and ignorance is one thing, but when you combine it with effectively insubordination... well, you better be right. And he is not.
Firmly agree, I don't believe he should have had access to change these password in the first place unless I'm misunderstanding their definition of test engineer, but if OP had the authority and permission to change the password in the first place, and that person deliberately changed it back to the insecure route again, management would be involved and there would some sort of reprimandment because that's past ignorance, that's negligence
It was an admin account to do regression testing for the admin interface and functions before prod releases.
I had my guys enable/disable the account during the testing pipeline so people can't login anymore.
Why would you have regression on prod? Or why would you care what the password is on staging environments?
We have our lower environments (where all testing happens) on a VPN completely separated from prod, and testing engineers only ever touch those lower environments. Our Ops team manages all admin prod accounts, and those are completely separate from lower environment accounts.
So I guess I'm struggling to understand the issue here. Surely you could keep a crappy password for pre-prod testing? We even create a copy of prod as needed and change the admin accounts if there's something prod-specific.
The production database gets down-synced to the lower environments on demand, so they can test on actual production datasets. That would require us to manually remake this user account every time a dev down-syncs the database to a lower environment.
The customer is paranoid, as the project is their public facing website, so they want testing against the actual prod environment.
We don't mange the SSO, as that is controlled by the customer. The only local (application specific) account is this account for testing.
That sounds fine? Just add it to the script when down-syncing. Or keep auth details in a separate DB and only sync that as needed (that's what we do).
That's the main problem then, not this testing engineer. We do test directly on prod, but it's not our QA engineers doing the testing, but our support staff and product owners (i.e. people who already have prod access). They verify that the new functionality works as expected and do a quick smoke test to make sure critical flows aren't totally busted. This covers the "paranoid customer" issue while also keeping engineers away from prod.
Maybe you're doing something like that now, idk, but I highly recommend that flow.
We resolved it by making him use pipeline vars for his scripts. Like we told him to do in the beginning.
He fought it because he wanted his scripts the same for all projects. Including hard coded usernames and passwords. So, it was mostly his fault.
Ah, makes a ton of sense. We do the same, basically use a
.envfile for local dev and OPs overrides the vars with whatever makes sense for the environment.Yeah. Since he was a subcontractor, he wanted all his scripts to be the same, no matter who the customer was.
I was like jesus christ, I'm lazy too and want to automate everything, but edit your stupid scripts to use env vars.
He was a subcontractor, so technically, he's not our employee.
I bubbled it up the chain on our side, and it hasn't happened since.
my main question in this is, why does a test engineer have the credentials to change an admin password in production. Like I get that he needs to test things but I doubt he needs access to changing profile/account settings
He had to do admin functionality regression tests before prod releases to make sure nothing broke.
The system uses SSO for logins for everything else.
He is a subcontractor who was using scripts for all his projects. I told him he really needs to use env vars for creds.