The conservative site “63red” created a safe space app that allows MAGAts to find places where they can wear their red caps without being called names. You know, what they make fun of liberals for doing. Anyway, predictably, the guy who created it (Wallace) fucked it up from bean to cup:
- Wallace had left his username, email, and a plaintext password in the code—twice.
- There is no authentication for any of the application programming interface [API] calls, so someone could spoof any user—essentially giving them administrative access to the API.
- […]By using the “Get user by ID” API call, someone could retrieve the user name, email, ban status, and other details on each user account.
- Passwords were not in this data, but the entire user database could be retrieved by iterating through all the possible first letters or digits of an account ID.
- Any user could be blocked using an HTTP Post to the “block” API.
If none of that makes sense, the simple summary is that the app is a security catastrophe full of baby-level errors. Of course, Wallace’s response to the security researcher who found all of these issues was to threaten him, and to lie and say they were fixed when they weren’t.
I’m wondering what “63red” stands for. Is it the Pantone color code for the shade used on the cover of the original edition of Mein Kampf? Maybe someone who speaks more fluent wingnut can help out in the comments.