I remember when a backdoor was discovered in the most popular brand of keylogging devices[0], likely added there in case someone forgot their password and reached out to support.
[0] https://old.reddit.com/r/cybersecurity/comments/jw6k5v/backd...
This is my guess. People don't like it when a device they have turns into a brick of e-waste because they can't remember their password. So most consumer devices have either a "reset to defaults" feature or a hidden support password. Even enterprise routers and switches often have this.
So after a quick test, it was decided to deploy the debug version of just the frontend as a bandaid. Next day we saw we managed to deploy the debug version of the backend with admin stuff like this as well..
This being said makes the situation for an attacker awfully convenient...
I know this from personal experience.
- What did you think was going on?
Jack Black: Oh, I thought it was an STO.
- STO?
Jack Black: Standard Training Op.