1M order exposed and 200k customer and workers data exposed just because an AuthKey is allowed to query all customer data instead of user specific data.<p>this means most likely a junior developer built this service, and on top graphQL is used which is built relational first / security is one step away.<p>it sucks that companies grow fast in the tech scene, try to make their wealth using technology without really understanding it.
I worked for a bunch of startups and I'm not surprised by this.<p>Nobody really cares. Security isn't a topic ever.<p>Founders pay you VC money to fly across the country to talk for days about UI wireframes, but nobody ever cares about where or how you store data.
> When will the industry finally learn?!<p>Never. There are too many people using too many technologies with too many deadlines and constant turnover. It will always be possible to find a service with simple vulnerabilities.
I also find it just fascinating, that anyone would pump hundreds of millions in a service which is a copycat anyhow and doesn't even own the IP on the only thing that could potentially differentiate them from their competitors.<p>I mean, hiring desperate people and students to make deliveries in a couple if cities at a loss seems not to be the greatest feat. Services like Uber at least have some tech in-house which is mildly innovative. But this is just pathetic.
Personally I don't care about these data breaches anymore. My:<p>- full name, date of birth and email have been leaked by multiple websites;<p>- phone number was leaked by Facebook (added it for 2FA many years ago);<p>- address information can be found in the public database of the Chamber of Commerce.<p>That doesn't make negligence okay, but at least Gorillas and Flink both gave me a €15 discount on my groceries in return.
Zerforschung is funny, if you want a fun ride read this about "making photobooks out of your personal messages":<p><a href="https://zerforschung.org/posts/zapptales/" rel="nofollow">https://zerforschung.org/posts/zapptales/</a><p>What could go wrong? Everything.
> The tenantConfig however can be accessed without any restrictions. And the information delivered there is quite interesting: API keys and URLs for various services that are apparently used by the Gorillas/eddress infrastructure. Among them we found API keys for Sendgrid and Slack webhook URLs.<p>Unreal.
Building applications is a complex problem. If you want a secure system, then security details have to be carefully considered at every layer (DB, API, front-end). Doing that requires expert security employees/consultants, time and money. On the other hand, profits are driven by new features, first to market and sales.<p>Companies can build insecure systems (that are profitable) much faster and much cheaper than they can build systems that are profitable <i>and</i> secure.<p>It has been my experience that security is seen as a <i>necessary evil</i>. It's not seen as a benefit or feature that customers want. Security employees/consultants are often seen as road-blocks or obstructionists. I think this is largely why technical security has been replaced by compliance. Just check the box mentality. When they get hacked they can say, <i>"but we were compliant and we'll do better next time"</i>.<p>IMPO, that basic conflict explains why systems are repeatedly compromised and why companies nor customers really care about good technical security.
zerforschung.org does an amazing job!<p>They have also recently analyzed Djokovic's test certificate:
<a href="https://zerforschung.org/posts/djokovic-pcr-test-en/" rel="nofollow">https://zerforschung.org/posts/djokovic-pcr-test-en/</a><p>Stuff like that is super interesting. I love this investigative journalism. Another one I find captivating is: <a href="https://www.bellingcat.com/" rel="nofollow">https://www.bellingcat.com/</a>
Ugh. This inspired me to check the B2B application I'm responsible for as a manager. Guess what I found:<p><input type="hidden" name="userId" value ="{{session.userId}}"><p>I'm sure you can guess what it's used for and what it's <i>not</i> compared against.
Different topic<p>> Gorillas has experienced extreme growth in recent weeks and also raised another absurd 290 million US dollars in venture capital<p>it does not seem absurd considering the current market valuations of online retailers.
> The API key of Gorillas for 100 of these so-called “scopes”, the one of Liban Post for more than 200<p>How did they check the scopes? Did they use these API keys to make requests? Would that be legal?