Literally anyone could log in to the company’s Admin portal by OAuth authentication with a Google account. Bondu fixed the problem quickly, but yikes.

That doesn’t bode well for the quality of their developers.

Here is info from the researcher’s article, which is linked from the Wired article:

About 30 minutes in, he spotted something interesting in the Content Security Policy headers. It was a domain that piqued his interest (console.bondu.com). He navigated to it and was met with a button that simply said: “Login with Google”. By itself, there’s nothing weird about that as it was probably just a parent portal. But instead upon logging in, he found this wasn’t a parent portal; it was the Bondu core admin panel. We had just logged into their admin dashboard despite [us not] having any special accounts or affiliations with Bondu themselves.

This is why authentication and authorization are both important, not just authentication.