I am recently allowed to connect to my job's new consultant-built intranet system, to fetch files and data from it's "inside" through an API.
And it makes me wonder if the system is safe. "The usual web user logon is as usual", but using the API I can get any file or do any db request (within the API limits) and the API has no authentication, and it's all in http, with no "s". All files are renamed and stored "anonymously" according to a hash code (this is the only safety I think), but I know the "un-code", and, thus, If I know the exact file name, (by for example doing a db request, listing all files + their hash codes in a project) I can read it all. (Possibly this design is due to there being a clientside Powershell script which handles when you click a file on the intranet, it opens in Word, and on save, it is uploaded to the web site and various properties are updated there.)
Still, this seemingly only keeps the good guys out. Should I blow a whistle or not?