I like to play with the idea - partly to comfort myself - that good (okay that’s subjective) software developers are needed more than ever. Everyone knows how the AI transformed the landscape lately, as we say in Hungarian it’s flowing from the tap as well (meaning it’s everywhere). Interestingly, while the total number of developer jobs has increased, competition for the lower-level positions has become increasingly fierce.
- I know this well I happen to be at the bottom of that fish tank, but I leave that part for later.
Lately I missed a feature from a site/app where I can get personalized notifications about services – I try to keep the identities as concealed as possible.
My main idea was, as a first scraping project - and I have learned Java and Spring - to create a spring boot app, that logs in with my credentials pulls data at random intervals and sends me email notifications.
Simple, right?
Well, at the login I hit a wall called reCAPTCHA. Instead of banging my head against the wall I quickly took another approach and decided to use my tokens - as from my experience the session tokens were quite long lived and easy to grab. You know go with the flow as Bruce Lee said: “Be water, my friend”.
Next up, I had to find some endpoints which I could hit for the data that’s needed. Nothing hard especially with AI these days – haha, the irony – I quicky found out that the site was created with an AI – (intentionally missing the correct term) no code just vibe and create stuff.
Brilliant extensive knowledge about the conventions that this platform uses, which quickly leads me how the endpoints here are structured.
And, with dynamic data loading with JS, I quickly found a main endpoint where I could get the details I needed. I was surprised when I hit the endpoint. I have access to all the current and previous records. It was of course “public” information. Mainly outdated, but still exposed? Weird!
The data of course does not reveal too much as they are concealed with IDs and such. So, I couldn’t stop there. I had to keep going.
Thanks to the conventions the site uses and some common sense, plus help from AI, I was able to reveal another endpoint, draft some code quickly and hit it a couple of times to get some structure data. Suddenly, IDs link up. They give meaning to the data. I was so happy the data has now some meaning to it. I can identify and distinguish, but some parts were still missing pieces. Then, found it.
The swagger file.
Oh boiiii, Ten. THOUSAND. Lines. Of. JSON. I mean I came here to peek in the front door, not to x-ray the whole building. Of course, I quickly reduced this data to a readable size and format. At first, I recognized the familiar endpoints I was already poking. Then, I found the one which helped to connect the dots. Man, it was ecstatic more than I could hope for the service was going to be spot on I can align my logic with theirs perfectly. I felt like I had defeated the dragon. My code was in pieces barely hanging together, the data laid in Postman requests and in a code editor as I was quickly iterating through the process. So, I started to refactor my code cleaning up code repetitions...etc. The rest will be a walk in the park. I got what I wanted! Perfect!
As I was glancing through my creation and played around with the data, I realized that user interactions were also part of the data. Strange. Okay, the data was mainly public, but in this structure other user’s data should not be really visible to me. They are just ID numbers, like nothing special. Right?
And of course, since I had the entire roadmap of the endpoints in my hands, I took a look. I mean why wouldn’t I try to hit some other interesting endpoints to see what was going to happen? Haha, of course the authorization mechanisms kick in, and my requests got rejected even though the structure of my query is correct ‘403 Forbidden’. Like that, is what you’d expect from a production-ready market-leading application in that segment that is used by a couple hundred to thousand users every day, and you have some big-name clients. Right???
Well, I think software developers already know what fast iterations and AI generated code introduce.
Okay, those specific endpoints were safe, and as I was poking around, I found out I could use my account to automate other tasks beyond notifications. I mean this is the whole point to make my life easier and respond to the events quickly which were well within my auth. Of course I was worried about hammering the API with too many requests.
So yeah, I created another account to retrieve and manage information, which would take the major load, but I would still need to automate my main account.
Funny thing, the second account did not require anything to pull the data. Just a simple registration. My main account required strict verification measures to use the service. Interesting. As I mentioned before, interactions with public domains contained user IDs, and that’s exactly how I identified my main account.
The endpoints are secured; authorization works perfectly even if you have the map; you don’t have the key!
Well guess again, I sent a request from my secondary account with the primary account ID, and it worked, I mean how crazy it is. It magically works; I couldn’t believe my eyes. With an unidentified account, I was able to submit, cancel, and initiate different processes. But that does not stop there, I could connect public IDs with private events, and I could divert them to different directions if I wanted to by which I could gain a significant advantage. Mind blown.
I want to take a moment here to catch my breath.
I haven’t introduced myself properly. I am not a professional software developer. I mean not yet, I completed a bootcamp well... completed okay that is not exactly true because after the AI boom started the bootcamp went bankrupt and disappeared with my money and the job guarantee they promised.
I had gone all-in. I quit my job. I dedicated everything to becoming a Java developer. I fell in love with it through a Udemy course before I even enrolled in the bootcamp. When the school collapsed, leaving 80 of us in the dirt, I was in despair. But I didn't stop. I went back to the basics: data structures, C, deeper Java, and endless LeetCode sessions.
I am still looking for that first entry-level position. Writing this is hard; these words feel heavy on my hands as I type. I’m just a guy outside the gate, looking in.
And that brings me back to the "market leader" app.
I am a junior developer, yet I could modify other people’s accounts and gain a massive unfair advantage. Of course, I won’t do it but the fact that I could is the point.
This is why developers are needed more than ever. AI can generate code, and "no-code" platforms can "vibe" an app into existence, but they can't replace the fundamental understanding of security and logic. Even a junior like me knows that leaving your back door unlocked isn't "market-leading" behavior.
It’s time businesses rethink their approach to cutting costs with AI tools and give more focus to defend their integrity and reputation.
Top comments (0)