I joined a startup with a product in production for a dozen or so major customers (US universities), public facing, with a slick new front and backend the team had been working hard on. I brought along a young engineer friend who had a pet interest in pentesting, so his first task before getting up speed as a dev was a security review.
He and I sat down on day one to poke around, mainly to get oriented, not expecting much l. Popped up Chrome's devtool network panel, refreshed the login page.
One of the first XHR rows was to an endpoint named “getKeys”
The return object was the root keys for the AWS prod account.
This crap is incredibly common. Maybe not that egregious, but close enough.
He and I sat down on day one to poke around, mainly to get oriented, not expecting much l. Popped up Chrome's devtool network panel, refreshed the login page.
One of the first XHR rows was to an endpoint named “getKeys”
The return object was the root keys for the AWS prod account.
This crap is incredibly common. Maybe not that egregious, but close enough.