• bleistift2@feddit.de
    link
    fedilink
    English
    arrow-up
    50
    arrow-down
    3
    ·
    1 year ago

    To me it looks like their frontend guy just copy/pasted the password field with all validation over without thinking twice. I wouldn’t say this speaks to their general security competence.

    • ViewSonik@lemmy.world
      link
      fedilink
      arrow-up
      45
      arrow-down
      4
      ·
      1 year ago

      While that may be true(copy/🍝), it implies that their code quality and QA process is broken and some of the most important fields/data are not being closely looked it. It certainly DOES speak to their overall security competence.

      • DoomBot5@lemmy.world
        link
        fedilink
        English
        arrow-up
        24
        arrow-down
        4
        ·
        1 year ago

        Eh, I can see how it’s missed by testing. The tests probably cover testing non-compliant passwords failing and compliant passwords passing. They were probably updated at the same time the password compliance was updated.

        Missing an edge case like this isn’t good, but it’s not that uncommon.

        • ViewSonik@lemmy.world
          link
          fedilink
          arrow-up
          9
          arrow-down
          5
          ·
          1 year ago

          Again, a basic code quality issue. If they missed this basic functional code issue, what else did they miss that is exploitable….

    • Wrench@lemmy.world
      link
      fedilink
      arrow-up
      14
      ·
      1 year ago

      Could also be backend validation is broken, so FE just shows the user something useful rather than waiting for backend to reject and show a generic error message.

        • Wrench@lemmy.world
          link
          fedilink
          arrow-up
          5
          ·
          1 year ago

          I mean… I’ve been both. I have had to punt a problem that caused FE anguish because the project is old, not the priority, and hard to make changes to.

          I’ve also been the FE that was told that they are aware of the problem, and can’t get to it for a month, so we need to at least make the UI surface the error in a better way so that the user can go to support for manual intervention.

      • bleistift2@feddit.de
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        That would be actively malicious. I don’t know how anyone could get the idea to just show “something” if the backend sends a generic error message.

        I’m not sure what’s wrong, but have you checked if your tomatoes are fresh?

        • Wrench@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Huh? If backend has incorrect validation on the old password string, and returns an error message like “invalid password” without specifying if it’s the old or new password, that’s not particularly helpful for front end. And that’s pretty common for an API response not to have fine grain details.

          The UI is capable of validating up front before the service request, assuming they know the exact validation rules BE uses.

          Or the FE just fucked up. Both are plausible.