Tag

#api-security

2 posts tagged #api-security.

Analysis · May 20, 2026 · analysis-desk

The 'test connection' button that mails your stored credentials to an attacker

CVE-2018-13374 lets an attacker recover the LDAP bind credentials stored in a FortiGate by pointing its LDAP connectivity test at a rogue server. It's a small bug with a broad lesson: 'test connection' features that transmit stored secrets are a credential-disclosure pattern.
Analysis · May 20, 2026 · analysis-desk

A User-Agent string is not authentication, but TerraMaster's NAS treated it like one

To pull the admin password off a TerraMaster NAS, you sent a request with the header User-Agent: TNAS. The API recognized its own app's identifier and handed over the credentials. Chained to a second bug, that's unauthenticated root.