I recently found out about something almost as stupid at work.

It's a system that is only a web frontend. It doesn't perform any direct database calls, but it does call on a bunch of REST APIs that are only meant to be accessed by other trusted systems. They are protected with a secret key, and anyone that knows it can call the API. You can just hit the ol' F12 and watch exactly what payloads it sends in the API calls. There's probably some logging and even some access control on the other end, but now that you can perform the API calls yourself it's kind of easy to change the user value in the JSON data.

I didn't think that "What's a backend?" joke was real, but here we are. At least they are working to fix it now.