Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

localhost is an abstraction, it's a non-routable-outside-your-machine network...except it's not. It's nothing more than normal TCP traffic except with a message to the OS and other programs that whatever is on that local computer network, you don't want it routed outside the local computer.

There's absolutely nothing stopping anything with access to localhost from routing it anywhere that process wants. Does not even take a malicious actor, all kinds of legit programs expose localhost. It's really not something you should use for anything except as a signal to other well-behaving programs that you are using the network stack as a machine-local IPC bus.



The fact that the production db has the same username/password as the development one is perhaps more troubling.


It likely doesn't... it probably reads it from the environment or a config role, and since it was in production it had the production credentials.


The code explicitly referenced “DevelopmentConfig” though


They say in the article that it's not the case.


Yes! This is the biggest mistake probably




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: