How a simple security bug became a university campus ‘master key’
For its GET Mobile app, CBORD publishes a list of commands available through its API, which can be controlled using a student’s credentials. But the API was not checking if the credentials were valid.