Email or username:

Password:

Forgot your password?
Top-level
Tamas K Lengyel

@WPalant @thisismissem Just connecting to the db won't show you what data is in it to determine it's not just your data. So he must have dumped it or at the least queried it sufficiently deeply to make that call.

3 comments
Beady Belle Fanchannel

@tklengyel @WPalant @thisismissem Just connect to it with a GUI tool like dbeaver (like devs are likely to do), it will show you the schema of tables.
There will be columns like “clientName” or similar, and then doing a few very simple selects will tell you whether you have access to other people’s data.

Beady Belle Fanchannel

@tklengyel @WPalant @thisismissem Mixing customer data like that and giving full access to the database with the given user credentials is criminal neglect and should cost the company dearly. Not the person who figured it out.

Yellow Flag

@Profpatsch @tklengyel @thisismissem According to nitter.net/der_sofc/status/174 he connected with phpMyAdmin. While I haven’t used that tool in decades, that would presumably also expose the database schema immediately.

Go Up