While this report is embarrassing for all involved, in a practical sense, I'd argue the security of this app was "fine."
What I mean: security through obscurity is imo the best situation to be in. You can't attack something if you don't know it exists in the first place. That alone gives this system a leg up over more exposed (but hardened) platforms.
Second, convenience always beats secure. Requiring password rotations is worse than requiring none at all, because people tend to find the path of least resistance (writing a password on a notepad instead of memorizing).
If it was faster/easier to ship a useful (but vulnerable) app, that's net better than the app not shipping at all because of security hurdles. I have to imagine sanitizing inputs doesn't take much more time to include, but I don't know the systems involved.
Ultimately, what damage was experienced here? We can throw out hypotheticals about what -could- have happened, but you can't sue every driver on the road because they -could- have hit you.
An insecure system served a useful purpose for years, got more secure, and continues ticking.
I am sorry, are you non-sarcastically arguing that being able to pass through airport security, potentially accessing cockpits and planting bombs onboard airplanes, with a high-school level SQL injection on a federal website used by dozens of airlines & airlines employees, is actually, "fine"?
Besides, I am not sure what sort of "security through obscurity" you are talking about? Ian and Sam found it, and frankly - with a public page, page title + first h1 tag clearly stating that this relates to a Cockpit Access system, this has got to show up in a shit ton of security research search engines instantly.
Every person working in security, or even familiar with security, would know how to exploit this. It was a ticking time bomb. And it gives you admin access to the entire system. People could have already have exploited it and we wouldn't even know.
I'm not sure I'd write this off because having a weak spot like this and information gained could lead to more discovery of the obscure. It's never a good security design to rely on someone never finding my secret API routes that I named after my co-workers that I despised
What I mean: security through obscurity is imo the best situation to be in. You can't attack something if you don't know it exists in the first place. That alone gives this system a leg up over more exposed (but hardened) platforms.
Second, convenience always beats secure. Requiring password rotations is worse than requiring none at all, because people tend to find the path of least resistance (writing a password on a notepad instead of memorizing).
If it was faster/easier to ship a useful (but vulnerable) app, that's net better than the app not shipping at all because of security hurdles. I have to imagine sanitizing inputs doesn't take much more time to include, but I don't know the systems involved.
Ultimately, what damage was experienced here? We can throw out hypotheticals about what -could- have happened, but you can't sue every driver on the road because they -could- have hit you.
An insecure system served a useful purpose for years, got more secure, and continues ticking.