On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.
Simply removing the two-factor auth element which does nothing to access the main page underneath. I do that shit with newspaper paywalls. That is wild.
Also having a script in there that just resets a password no questions asked. WTF is going on with modern software development? It isn’t just Subaru. It’s almost everything in the last 15 years. Behind all the pretty lipstick, IT systems are jankier than ever.
For any aspiring programmers, remember, never ever assume the user is rational, expecting them to follow the rules. At least half of your user data-handling code should be validation and sanity checks. Code defensively.
That password reset looked to be like step four of something. So it’s a business logic bypass. Still awful of course but slightly more understandable given other ways this vulnerability could have been introduced. The cool part was detecting all the steps completely blackbox because everything was in the Javascript.
There is no excuse for issuing a valid token before mfa succeeds though. That is negligent.
Idk, we work with two companies, one based in India and the other in E. Europe, and the E. Europe code quality is certainly better. There are great devs on each, but each group needs a different type of hand holding. The Indian group follows instructions too literally and doesn’t ask enough questions, and the E. Europe group takes too many liberties and doesn’t ask enough questions.
I think it has more to do with he nature of how get get paid, but each country has its own idiosyncracies.
Only someone who was never forced to outsource critical software to low pay companies basically sweatshoping software, thinks outsourcing is equal throughout the world. Everyone loses in that chain except the C type that shows nice numbers that quarter for a nice performance number. Meanwhile shit like the one above propagates like wildfire.
Simply removing the two-factor auth element which does nothing to access the main page underneath. I do that shit with newspaper paywalls. That is wild.
Also having a script in there that just resets a password no questions asked. WTF is going on with modern software development? It isn’t just Subaru. It’s almost everything in the last 15 years. Behind all the pretty lipstick, IT systems are jankier than ever.
For any aspiring programmers, remember, never ever assume the user is rational, expecting them to follow the rules. At least half of your user data-handling code should be validation and sanity checks. Code defensively.
That password reset looked to be like step four of something. So it’s a business logic bypass. Still awful of course but slightly more understandable given other ways this vulnerability could have been introduced. The cool part was detecting all the steps completely blackbox because everything was in the Javascript.
There is no excuse for issuing a valid token before mfa succeeds though. That is negligent.
Lowest bidder.
Now add AI in the mix :)
even worse, it’s a joke, but it’s true, the proof of concept is often also the final product
Trust no-one, not even yourself.
Subcontracted to Indian, Ucranian and other low income countries. You get what you pay for.
Ukrainian devs are top notch, to be fair. Outsourcing to there is not an issue.
Just subcontracts in general. No need to bring any specific country into this.
Idk, we work with two companies, one based in India and the other in E. Europe, and the E. Europe code quality is certainly better. There are great devs on each, but each group needs a different type of hand holding. The Indian group follows instructions too literally and doesn’t ask enough questions, and the E. Europe group takes too many liberties and doesn’t ask enough questions.
I think it has more to do with he nature of how get get paid, but each country has its own idiosyncracies.
Only someone who was never forced to outsource critical software to low pay companies basically sweatshoping software, thinks outsourcing is equal throughout the world. Everyone loses in that chain except the C type that shows nice numbers that quarter for a nice performance number. Meanwhile shit like the one above propagates like wildfire.
Check your “urcranium” bruh