"The web app was so sensitive in nature I can’t really even describe the contents, but it was a big find by itself."
Maybe that's true, and certainly the vulnerabilities described in more detail are already quite a big deal, but the author probably should have omitted the above quote from their post as it leaves the reader with some suspicion that perhaps this is a bit of a "Fish Story" (fisherman exaggerating the size of the fish they caught) https://www.urbandictionary.com/define.php?term=Fish%20Story
I like it because it describes how specifically the vulnerabilities were found and what specifically they were. If you’re doing security review or building a secure tool there are 5 items for your checklist.
They are bad mistakes that should have never have passed QA. Think a bit. Pentesting only makes sense if you don't have a functional QA.
Its like hiring a guy with a sledgehammer to test the stability of your bridge. You should hire a structural engineer instead, before building it. If the guy with the sledgehammer is successful, you should never have built the bridge in the first place.
Think a bit more. Why have QA? If there are bugs, the SWEs should have caught them with their test suite. Think even more. Why bother with a test suite? The code should be written correctly the first time. (this is sarcasm)
People make mistakes. Systems fail. Pen tests exist to find out if your people are making mistakes, and if your system is failing.
True, IF software were actually built like bridges, as in actually engineered, effects calculated, simulated, and tested ahead of time, according to required standards, only by people who are trained. licensed, and insured to do such work, and with the expectation that it will be built once (not updated with patches on an ad-hoc basis). Oh yes, and all subject to strong liability.
Instead we have project who care only about shipping their latest favorite features yesterday to meet the over-promised new capabilities to the new client/market, and figure any problems will get caught with the update cycle, and the coders scrambling to ship the first thing that'll compile and pass the test screens, with QA being a minimally funded function as yet another cost center to be minimized... Oh, and all liability for failure is disclaimed or fobbed off on the consumer for their failure to maintain proper opsec. Oh, and in many cases, the blame is put squarely on anyone who finds such a fault instead of on the builder (e.g., when the governor recently tried to jail a journalist who found an egregious flaw in a state website).
So, yeah, it SHOULD never be the case if there were proper development and proper QA. But it hasn't happened in a half century of large commercial software. So, we do really need pentesters. They're just delayed QA after all.
My first thought was that it was just an admin dashboard that was poorly attempted to be hidden by obscurity. It probably was thrown together during migration to work from home.
No, of course they aren't worthless. They give you the routing number, account number, and next check number in order to print your own fake checks on other people's accounts.
Sure, there is some value in the information printed on the checks, but they're worthless because they can't be redeemed as they've already been redeemed. These checks cannot be "stolen" for "millions" contrary to the title.
The checks disclose 100% of the information that is needed to write new checks against the accounts. Those accounts could be completely drained from this. That accords with the title.
Kind of depends. In addition to using using them to forge more checks (as discussed in a sibling comment), if you pull them in real time, you can race to cash them first, and you can sometimes present the same check multiple times and get it cashed.
Of course, any of those options are going to end up with transactions reversed eventually, so you've got to have a quick exit planned.
I'm down for using it in limited circumstances, like maximum pwnage, like when a university or municipality gets all of their computers ransomwared and negotiations fail with all the data being deleted with no backup.
But only in an off the cuff remark as a passive observer, amused by the circumstance and grandstanding necessary to fail so hard.
Allow me my fantasy: I imagine you are a younger, polite, curmudgeonly person who sadly missed the bouncy joy of this word when it was fresh. This fantasy makes me want to keep using this annoying word that I somehow love.
Maybe that's true, and certainly the vulnerabilities described in more detail are already quite a big deal, but the author probably should have omitted the above quote from their post as it leaves the reader with some suspicion that perhaps this is a bit of a "Fish Story" (fisherman exaggerating the size of the fish they caught) https://www.urbandictionary.com/define.php?term=Fish%20Story