Truth is, the whole Fusion Middleware stack is... not very hard to compromise, even without resorting to password-cracking. Product-specific knowledge is often enough to retrieve plaintext credentials from a number of products. The whole Oracle ecosystem is like that -- SQLDeveloper's passwords can also be retrieved very easily.
The unspeakable truth is, in most enterprise companies, the ability to retrieve a lost password (when the original employee is on holiday/was fired/stepped under a bus) is more valued than the ability to secure it.
We always talk about security theatre like it only happens at airports, but I see lots of it in regular companies as well.
This kind of thing isn't exactly unique to WebLogic.
Privileged filesystem access generally means doom for your application's security layer, as you'll be able to springboard into databases or other systems from there.
If you have access to a salt file, you can generate hashes from that. If you have access to an encryption key, you can decrypt encrypted strings. Plus, so many configurations just use plaintext passwords.
The cool thing here is he found a way to decrypt these without having to run a WebLogic script, which has always been a minor pain.
It was known that Weblogic was storing encrypted passwords, but publishing just how easy it is to decrypt them and the fact that they're using the same key across all Weblogic installs is the real concern.
The unspeakable truth is, in most enterprise companies, the ability to retrieve a lost password (when the original employee is on holiday/was fired/stepped under a bus) is more valued than the ability to secure it.
We always talk about security theatre like it only happens at airports, but I see lots of it in regular companies as well.