No, hazardous defaults can be a source of fault for the entity providing them.

Ok but it’s not like pg can’t stop you from doing something dumb.

There are probably countless new projects today that are storing plaintext passwords, or not adding scoping, and so on.

Putting in scopes and ensuring data security for both users and system wide is on the developer.

It's hard to screw up Postgres to the extent that your entire DB is made fully accessible by all users. This has happened many times with Firebase apps, for over a decade.

You could have a SQL injection vuln, but any SQL lib will very clearly steer you to parameterized queries, and even then such a vuln takes some expertise to find and exploit.

That’s simply not true. I remember working with a startup founder who had Jerry rigged some crap shit together with gpt a year ago.

I was able to access his data by simply accessing it figuring out his URL and other stuff. I told him to use supabase or DO deployment and set up proper roles and stuff…

I think you’re being way too charitable honestly and it’s dangerous. I won’t join you on that path of absolving the developer of any blame.

They don’t read the docs and they didn’t care simply put. Any production system needs to be tested especially if it will have PII data.

Don't get me wrong, there is still such a thing as a bad dev. If this startup founder actually wrote an entire app using GPT and it had such vulns, I'm pretty sure he'd mess up the Firebase ACLs too.

You are absolutely correct. The founder of Tea app has only 6mo of coding bootcamp under his belt. That should explain pretty much everything that happened.

I blame Firebase, this is the 2nd app I saw get owned this way in the last 2 weeks, similar complete break-in including user data

Their docs literally show how to prevent this. It’s part of the tutorial even iirc.

But sure blame firebase lol

The variable here is Firebase, the same devs don't have these issues on other platforms. If users are reading and fully understanding the manual before setting things up, that's great, it can be default-deny and tell them how to selectively open things.

Again simply not true. Sorry I’m gonna move on.

Y’all can continue making excuses for people leaking PII. Peace.

One day, if you're lucky enough to engineer a quality product with scale, you'll realize why "they're holding it wrong" is generally a poorly received explanation, even if you're Steve Jobs.

I mean I already have a cushy IPO exit under my belt as a lead platform engineer.

So yeah already did it, global b2b product used by millions daily. I have nothing to prove anymore besides my current company that I’m doing on my own.

Everyone else can do whatever insignificant and make mistakes that’s on them.

But the fact I said "quality" and you conflated it with "I worked at a company that IPO'd and had lots of users" kind of says it all doesn't it?

For me good product is more of a passion than proving anything to anyone. And I definitely don't get better at product by victim blaming.

Cool man whatever makes you happy as long as you can excuse leaking PII

From one founder to another, you'll get further if you learn to learn, instead of flipping out because your bad take was called out as a bad take.

This is pointless. Moomoo, nobody is excusing Tea, it's just that Firebase is also not designed well.