Punches For:
Out of context: Reply #1645
- Started
- Last post
- 3,160 Responses
- detritus-2
People referring to themselves as 'Shopify experts' - indeed, anyone in any field who labels themself an 'expert'. it's fucking Dunning Krueger writ large in large flashing neon lights.
We've encountered a security hole in a shop. I had assumed that given there were two specific functionalities we specced in our brief way back when, that they had been properly considered and accounted for.
Realising the hole, I thought about it for a second and it took me - me, a non-programmer schlub - less than 2 minutes to work out how to replicate the breach. Suffice to say, it's based on the use of a front-end condition that can [obviously] not only be changed easily by the user, but isn't then validated server-side.
This isn't even security 101; it's not barely schoolboy error level.
if I ever meet the 'expert' who did this I'm going to fucking slap him. This isn't the first instance of his uselessness; but it is the most egregious.
.
Next time i'll buy a Mac and take a couple of weeks off my proper job and do it myself.