I found this security bug in one of the prominent food startups of India. All their customer data including residential info , order info and contact details were vulnerable. Exposed Customer Data Look at the following code. .route(“/customer/info”)def customer_info():customer_id = requests.args.get(‘customer_id’)customer = customers.query.filter(Customer.id==customer_id).one()customer_schema.jsonify(customer) @app A customer of id 5453 will have the following request URL http://server_ip/customer/info?customer_id=5453 Now look at the URL, the id is a number. A hacker will try changing the number from 5453 to 5454 http://server_ip/customer/info?customer_id=5454 This will allow him to fetch details of the customer with id 5454, which he is not supposed to see. Now he can write a script which loops through customer ids and fetch information; he has hacked into a company’s confidential data. This can be prevented by adding authentication to check if the user has privileges to access the data. A unique string identifier is much better than an integer identifier. If you are interested in making cloud apps. Do checkout my book :) . Get the free chapters . Cloud Is a Piece of Cake here

Fetch

Twitter

A silly mistake most programmers make

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

3 books to help you stop procrastinating

100 Days of AI Day 1: From Newsletter to Podcast, Leveraging AI for Audio Transformation

10 Threats to an Open API Ecosystem

10 Indications That You Should Invest in Automation Via APIs

10 Best Practices for Securing Your API

The Noonification: Getting Your API Into Production (10/28/2022)

3 books to help you stop procrastinating

100 Days of AI Day 1: From Newsletter to Podcast, Leveraging AI for Audio Transformation

10 Threats to an Open API Ecosystem

10 Indications That You Should Invest in Automation Via APIs

10 Best Practices for Securing Your API

The Noonification: Getting Your API Into Production (10/28/2022)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps