Never, definitely will come to bite you in the butt. Doesn't make sense to risk it.

That's s not professional right?

If you have to create a backdoor, something is fishy or very very wrong

I left a backdoor in most my games e.g. you can go to wordsmashing.com/tests which runs the tests in production D: that plays all the levels and unlocks everything for you.

Running my tests in production live allowed me to test in the exact same environment that matters which gives me more peace of mind that things are working. Because these are indie games i can get away with doing something like that where normally a more complicated business would be terrified of people/crawlers finding that out and using it too much creating lots of data in production and potentially bringing the site down or leaking information about the internal workings of the code ect (my games are all open source on my Github anyway), they would probably create a dev/testing/staging environment with some copy of production data and run tests there but that would be a bit more time consuming which i couldn't afford for these pet projects. :)

I also had to implement a "you must share this to gain access to next levels" type of feature where we made development easier by not actually requiring the user to share anything it would simply unlock said thing on a timer, users would think they had to share the thing to get it to do that but we werent looking at the response from the social network at all.

I know of other instances of companies selling small things like games not authorizing the "buy now" route thats hit as a callback from a payment gateway like stripe/paypal at all assuming normal people wont find it, if a few thorough hackers get a free online game or two it is really a drop in a bucket

Sometimes strangely enough its okay to trade security/data integrity/correctness for something like development speed especially if the potential impact and likelihood of the bug is low enough.

In a professional working environment: Never. Except it is in your service-contract but then I wouldn't consider it as "backdoor". As you framed the question I see it more as a question aimed at morality. Everybody has to decide that on their own. From a legal side of view: Don't do it. That backdoor that opens the code also opens many doors for lawsuits (from all sides). And always remember: There is always someone that knows more than you ;)

Just grow till tech lead level where nobody does code review on your work and it won't be fireable action anymore.

Ok, now serious answer. However, let me tell you that it is illegal action and no matter what, sooner or later you might have serious problems up to criminal prosecution.

Never did it and never seen someone in the team doing it.

Talking about examples or excuses "you did it for testing", is not an option either. If you want to test something or login as other user, make sure you can do it only when you logged in and have kinda is_admin=1 in your account, in other words, it's not a backdoor, but a future for any admin or developer account, moreover, it is good to be also protected by IP/2FA.

I never left a backdoor, but I've built systems where you can login as a different user by mouse-click to help the support. But those are official audit-able features since I don't want users to give me their password. It's a basic feature to me and as long as you audit it and you don't sell it as "anonymous and private" who cares.

Maybe if I wanted to create something harmful like a worm out of curiosity I would leave a magic "switch off"-Button.Besides that to me it's an unethical thing. I tend to create "code generators" and "other magical stuff to reduce writing boilerplate" because I'm lazy, but I don't like reducing security because I'm lazy.

It's a matter of perspective I guess

I once have left some similar code in my final delivered code base. I have used that to login to any user account while testing and moved it to new url known only to me with some password protection while delivery, so that i can login to system anytime i need :P

This was my personal freelance project and I was the only developer/person interacting / involved with them.

PS : This is not ethical and not advised. If you are working for some corporation then don't do it until your manager/ company asks you to do this. You will surely get fired if caught.

I have done it once, on request from the team management at my first job. A secret API to delete QA accounts. They needed to create 100 accounts everyday, they were running out of emails and hence asked to me make a token secured, QA only access API to delete accounts. Hated doing it and would never recommend doing it.

At my second job and here at Hashnode, never. :)

I would never do it! Promise! 😁