Since then, they have fixed many of them, but in fact the entire project was a mess of almost every Internet security in the book. Here is a summary of the problems from the first day their alpha code is released:
- They never verified that a given user ever had permission to do anything. Therefore, when the user can go to
/image/123/delete/to delete their own image (whose identifier was 123), they could simply manually enter the URL /image/1/delete/to delete the image with identifier 1, even if this image was not theirs. - Ruby on Rails, POST- , , . , , , -, POST , , /, , , .. №1, , URL-, .
- MongoDB . Mongo Javascript . , , Javascript , , , .
, .