During my 14 years at Pfizer, I once reviewed an iOS app built for us by a low-cost off-shored development shop. I proxied the app through Fiddler, watched the requests and found an API that was returning every user record in the system and for each user, their corresponding password in plain text. When quizzing the developers about this design decision, their response was – and I kid you not, this isn’t made up – “don’t worry, our users don’t use Fiddler” 🤦‍♂️
Source: How Spoutible’s Leaky API Spurted out a Deluge of Personal Data by @troyhunt