Hi, can anyone give me an example of the vulnerabilities of the insecure package? I get that it needs to be removed, otherwise any client can change and view the database. But i cant find one good practical example of actually how this attack is done in the chrome console.
For example, in the Meteor Todo app tutorial, in the step right before removing the insecure and autopublish packages, i tried accessing/modifying the Tasks collection from the chrome console, but couldn’t do anything to it, i just get “Uncaught ReferenceError: Tasks is not defined”.
I would like to understand exactly how someone can attack my database when those packages are not removed from the project.
The collection is defined in /imports/api/tasks.js like this:
export const Tasks = new Mongo.Collection('tasks');
And gets imported in /imports/ui/App.js like this:
import { Tasks } from '../api/tasks.js';
App is then imported in /client/main.js and gets rendered inside the Meteor.startup method.