What is the worst security hole you've ever seen? It is probably a good idea to keep details limited to protect the guilty.

For what it's worth, here's a question about what to do if you find a security hole, and another with some useful answers if a company doesn't (seem to) respond.

+8  A: 

Mine would be discovering an ODBC DSN used for reporting, where the password matched the user, and the user belonged to the database server administration group.

So any PC with this ODBC DSN could read/alter all data (and worse) through the report user, using any ODBC compatible tool. No authorization required, and authentication was as weak as you can get.

I was working in a public hospital, and the software was installed on nearly every PC in every government hospital in the state, with the database server containing all sorts of sensitive medical data (full patient details, lab test results, etc.)

Worst of all, we quietly reported the security hole, then officially, and it still wasn't fixed in the 2 years I remained working there, and that was 5 years ago.

Assuming this was in the US, some people could have gotten into an awful lot of trouble.
David Thornley
Absolutely. Won't mention which country or state, but the government spent a *LOT* of money on this software (including hardware rollout + support it was 8 figures). The most frustrating part was how simple the fix would be...moving the user out of the db server admin group to somewhere where only read access was granted (on appropriate tables).
They might babysit that account with a kickout report for unexpected activity.
Aaron Bush
@Aaron, maybe, but given the slackness of security, and the fact this account was used for all reporting done by clients (user count in the thousands), somehow I doubt it.
Well, me too... But it's possible:)
Aaron Bush
+3  A: 

A peer once tweeted his password by accident... that was a pretty bad security hole.

Jeff Wilcox
Let me guess, using something like KeePass to store passwords and had the wrong windows focused when he hit Ctrl+V? :)
Thats a "stupid mistake", not a security hole. But it nicely demonstrates how even very secure software can be thwarted by human error. :-)
The first time I heard about this it was a guy who logged on as root, but he happened to have his IRC-program active instead of his local terminal...
I find this is the only downside to having a the x-windows "raise on hover" feature enabled: but then it's such a huge boost to productivity not to have to click windows on a dual-screen system, it just means I have to be slightly more careful ;)
Huge productivity boost? Since you are hovering, you already have your hand on the mouse. Clicking once isn't that much work...??
@Svish it is if you're on an OS that allows click-through by default (like Windows).
@kubi - has nothing to do with the OS but with Window Manager.
+127  A: 

The worst hole I've ever seen was a bug in a web application where giving an empty user name and password would log you in as administrator :)

A bug or a feature for lazy developers? :)
Happened to me too.
Ionuț G. Stan
just added my entry when I noticed this - have we worked on the same application, or is there a just a caste of developer who is super stupid or super lazy to remember login creds?
For *no* reason, PHP and register_globals just popped into my head when I read this.
R. Bemrose
A funny thing was that the bug was there for a long time and nobody noticed it :). Luckily it was someone in-house who discovered this by accident and not a customer.
I've seen such code. That is usually because the user lookup use a LIKE, as in "SELECT * FROM [User] Where UserName LIKE '%" + userName + "%'". And since the administrator is typically the first user in the database, it return that user.
Pierre-Alain Vigeant
why would you do a LIKE with a username?... so I could be admin by typing adm when I ment to type Adam
Matthew Whited
Most companies give you three attempts to log in under a given user-ID before they lock out the account. So it's trivially easy to lock out someone *elses* account with three bad passwords.
@Matthew, I wondered the same thing when I saw that code. Amongst other weird stuff near that bit of code.
Pierre-Alain Vigeant
I remember seeing this "exploit" or something similar (entering ']' for the user name) thus resulting in administrator access. I believe it was for a web based forum / message board application.
Nicholas Kreidberg
best example - Windows OS
I've seen this in a lot of corporate webapps that authenticate against an LDAP directory. In LDAP, an empty password results in a *successful* *anonymous* login. The anonymous user can't do much, but the webapps using this mechanism don't go as far as to check - they just assume "success = correct password"!
+20  A: 

When I use Colloquy (IRC), the password field pops up, but I still have focus in the main screen so the whole world knows my password when I hit enter and don't realize it.

The good old IRC fault:<n4p> msg NickServ identify my1super2secret3passwort4** n4p has been ghosted **
That's why I do my password things on server tab and not on a channel / UI
Jesus Rodriguez
+32  A: 

When I was 13 years old my school opened a social network for the students. Unfortunately for them I found a security bug where you could change the URI to another userID like "?userID=123" and become logged in for that user. Obviously I told my friends, and in the end the schools social network was filled with porn.

Wouldn't recommend it though.

why wouldn't u recommend this? what happened?
@Simon_Weaver:I guess 13-years-olds don't usually have a good taste for porn.
@slacker +1 to put you at 1000 rep! except i don't think rating comments gives you rep :-(
+35  A: 

Though this is not the worst security hole I’ve ever seen. But this is at least the worst I’ve discovered myself:

A pretty successful online shop for audiobooks used a cookie to store the identification information of the current user after successful authentication. But you could easily change the user ID in the cookie and access other accounts and purchase on them.

Wow ...I had the exact thing happen to me on an ASP code I inherited.
I maintain an app that has this exact issue. It's high up on the fix list, to be sure. Thankfully, it isn't an ecommerce site.
This happens for more often than most people realize.
Chris Lively
+19  A: 

The company I last worked for had their FTP username and password identical to the name of their domain. They didn't quite bother with repeated warnings.

Needless to say, it didn't take a long time for the site to go under. No online backups so they basically had to rebuild the whole thing. But it doesn't end there. The new secure password after this incident was the same... with 123 added on.

Passwords have been around for a long time. You'd think even laypeople would know what the *worst* passwords are.
Elizabeth Buckwalter
wow, that is amazing! Wow.
Alex Baranosky
Wow, I think I will change my password to um yea "password123", the old one "pass123" seems just too risky :)
Mark Schultheiss
+66  A: 

Giving 1=1 in a textbox lists all the users in the system.

Greetings from Bobby Tables.
how can @Gumbo's comment is upvoted 4 times as much as the answer?
Lie Ryan
Simply, 4 times the amount of people that voted the question up had voted his comment :/
Would one of the 221 up-voters of the Bobby Tables comment tell the rest of us what the hell Bobby Tables is?
+41  A: 

Right at the start of the .com era, I was working for a large retailer overseas. We watched with great interest as our competitors launched an online store months before us. Of course, we went to try it out... and quickly realized that our shopping carts were getting mixed up. After playing with the query string a bit, we realized we could hijack each other's sessions. With good timing, you could change the delivery address but leave the payment method alone... all that after having filled the cart with your favorite items.

Eric J.
Of course, this means that you've maliciously done something to get them to send merchandise to you fraudulently if you actually do this, and told "them" your address.
David Thornley
Yes, that's what makes it a major security hole. We did not actually pressed the buy button, but we could have. And, based on news reports, some people did.
Eric J.
+1  A: 

Web app on IIS, there was no file upload filter. So you could upload exe, and do smf fun ;)

they have webapps on the international space station?
mistype, thanks Jimmy.
@Jimmy: How do you think NASA does remote work? Telnet?
+43  A: 

Committing the database root password to source control by accident. It was pretty bad, because it was source control on Sourceforge.

Needless to say the password got changed very quickly.

Matthew Iselin
OK, the password got changed very quickly... but by *whom*?
Eamon Nerbonne
Scott Hanselman has confessed to this one too
+4  A: 

Maybe a bit of an anecdotal story here (but since it's the worst security hole I found)...

There was a company which sold a custom CMS (for websites) to a number of companies/organisations (including ours unfortunately). They use quite a bit of (mostly 'LGPL') components they did not make. Lots of clients (including government).

  1. Authentication for access to different parts of the website (and the CMS administration system) was handled correctly.
  2. They used FCKEditor instances in their CMS (for allowing non-html-savy users to edit webpages).
  3. They also used FCKEditor's 'upload-connector' scripts to allow users to add documents, images etc... to the site. The url to this script was hardcoded in one of the publicly visible javascript inludes.
  4. They failed to have authentication on the urls with the upload scripts.

Result: on every site they built one could (without entering credentials whatsoever) alter/delete/change/upload every single document/file and/or image on the website.

We reported this gaping security hole as soon as we found out so it may not have led to direct damage (but it could have easily).

+247  A: 

True story from my early days at Microsoft.

You haven't known fear until the day you wake up and see the headline on that morning is "Worst Internet Explorer Security Hole Ever Has Been Discovered In 'Blah'" where 'Blah' is code you wrote yourself six months previously.

Immediately upon getting to work I checked the change logs and discovered that someone on another team -- someone we trusted to make changes to the product -- had checked out my code, changed a bunch of the security registry key settings for no good reason, checked it back in, and never got a code review or told anyone about it. To this day I have no idea what on earth he thought he was doing; he left the company shortly thereafter. (Of his own accord.)

(UPDATE: A few responses to issues raised in the comments:

First, note that I choose to take the charitable position that the security key changes were unintentional and based on carelessness or unfamiliarity, rather than malice. I have no evidence one way or the other, and believe that it is wise to attribute mistakes to human fallibility.

Second, our checkin systems are much, much stronger now than they were twelve years ago. For example, it is now not possible to check in code without the checkin system emailing the change list to interested parties. In particular, changes made late in the ship cycle have a lot of "process" around them which ensures that the right changes are being made to ensure the stability and security of the product.)

Anyway, the bug was that an object which was NOT safe to be used from Internet Explorer had been accidentally released as being marked "safe for scripting". The object was capable of writing binary files -- OLE Automation type libraries, in fact -- to arbitrary disk locations. This meant that an attacker could craft a type library that contained certain strings of hostile code, save it to a path that was a known executable location, give it the extension of something that would cause a script to run, and hope that somehow the user would accidentally run the code. I do not know of any successful "real world" attacks that used this vulnerability, but it was possible to craft a working exploit with it.

We shipped a patch pretty darn quickly for that one, let me tell you.

I caused and subsequently fixed many more security holes in JScript, but none of them ever got anywhere near the publicity that one did.

Eric Lippert
That wouldn't be a nice feeling at all. Maybe the developer was experimenting and forgot about the changes when he checked in the code? Anyway, thanks for sharing.
+1 for honesty and lack of ego.
awesome and honest
dr. evil
Arguably, this is actually 2 security exploits; the other one being how to get code onto a production build server without anyone noticing / approving the change ;-p
Marc Gravell
"had checked out my code, changed a bunch of the security registry key settings for no good reason, checked it back in, and never got a code review or told anyone about it" -- doesn't sound like incompetence to me, it sounds like malicious intent from someone knew *exactly* what they were doing.
@Juliet: Yes, sounds pretty intentional to me.
Based on the other changes that were made in that checkin I choose to take the charitable position that it was incompetence, not malice. But like I said, we'll never know.
Eric Lippert
"Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
Let me ask you a question Eric, what source control system do you use at MS?
There is no one source control system mandated for use across Microsoft. Most teams these days either use Source Depot or Team Foundation. Unsurprisingly, the Visual Studio product teams generally use Team Foundation. Eat your own dogfood, you know.
Eric Lippert
+1 for the teflon shoulders
Arec Barrwin
Who checks ZDNet before going to work?
Neil N
Andrei Rinea
Where is that guy now? I was looking after him within past 12 years !
+57  A: 

Being an application security consultant for a living there are lots of common issues that let you get admin on a website via something. But the really cool part is when you can buy a million dollars worth of socks.

It was a friend of mine working on this gig but the jist of it was that prices for items in a certain now very popular online book (and everything else) shop were stored in the HTML itself as a hidden field. Back in the early days this bug bit a lot of online stores, they were just starting to figure out the web. Very little security awareness, I mean really who is going to download the HTML, edit the hidden field and resubmit the order?

Naturally we changed the price to 0 and ordered 1 million pairs of socks. You could also change the price to negative but doing this made some part of their backend billing software buffer overflow ending the transaction.

If I could choose another it would be path canonicalization issues in web applications. It's wonderful to be able to do

Awesome, you'd never have a missing left sock ever again!
Did you ever get the socks?
Alex Barrett
The order went through and the fulfillment system alerted the warehouse. We realized it probably worked and told our point of contact that they should stop the order. Apparently a bit later a warehouse manager called in asking about the order to be sure it was real. He was wisely of the mind that it was a software error.
Never mind where you got them, where would you put them?
@StuperUser, On your feet, of course.
No problem with storage, just hack the Ikea website to order 100,000 sets of drawers to put them in,
Neil Aitken
Socks for an entire life... or entire lives?! :)))))) Why were you greedy and didn't change the value to 0.1 to make it look less like a software error?
Andrei Rinea

I used to hack Novel Login (DOS prompt). I wrote a C program to simulate a login prompt and write to the file whatever the login/passowrd is and output the invalid password.

I had fun in the college days.

Not security hole. More like phishing. If you can get physical access to a box then it has at least 1000 holes.
Any machine you find lying around on the street that you give security information to is a potential problem.
Tom Hawtin - tackline
+30  A: 

Mine would be for a bank I was a customer of. I wasn't able to log on, so I called customer service. They asked me for my user name and nothing else - didn't ask any security questions or try to verify my identity. Then instead of sending a password reset to the email address they had on file, they asked me what email address to send it to. I gave them an address different than what I had on file, and was able to reset my password.

So essentially, all a hacker would need is my user name, and he could then access my account. This was for a major bank that at least 90% of people in the United States would have heard of. This happened about two years ago. I don't know if it was a poorly trained customer service rep or if that was standard procedure.

It begs the question: Are you still a customer?
and what bank is it, please?
@Si: it writes 'I WAS a customer of...'. I think that answers the question. :)
I's say USBank. I was outvoted and our business bank is USBank. They're idea of security is strange. To log in it requires 2 or 3 steps including making sure the picture matches one you picked upon setup. Onpoint's homepage is a redirect to a secure server. So much simpler and just as secure.
Elizabeth Buckwalter
This was Washington Mutual, which was seized by the FDIC and sold to Chase early this year. They also had strange error messages. When I tried to set my password from the temp one I kept getting a "Passwords don't match" error, even though they were the same and I even copy/pasted. I realized that if I put "invalid characters" like a forward slash, instead of saying invalid characters, it would give me that other message.
@Elizabeth: Uhm... you realize that's to prevent phishing right? If someone tries to copy or mimic the bank website it can look exactly the same, but presumably they don't have access to the database, so they can't pull up the right security picture. That's why that's there. Not all users are smart enough to check the cert (which might be similarly bluffed)
@mark, yes I realize that, but it's more than that. It's just overkill.
Elizabeth Buckwalter
Protecting your financial accounts is overkill? ...
Joe Philllips
@ShdNx, point taken :) The easiest 2 factor authentication I've used was with HSBC, you have a normal password, plus you get a little keychain device which cycles through numbers, which you have to enter along with your password. Still not foolproof to a MITM attack or forcing details under duress, but safer. Another bank I use has a 3x3 row of pictures from a common list which are randomly arranged, and you have to choose your pre-selected 3 in the correct order. Cheaper and easier than a piece of hardware each user has to carry, but probably not as safe.
Wow, you poor American bank customers. Security is obviously not the forte of American online banking.
Andreas Magnusson
@Si: I think @ShdNx may have been getting at this, but you've horribly misused the phrase "begs the question".
Bob Aman
@Mark, it doesn't prevent phishing. I once couldn't get the stupid picture to come up on my credit union site (it was really their site, but the picture server was down), and I called them to complain. They told me I could go ahead and log in anyway "if I was comfortable with it." (Oddly enough, I wasn't.) I've read of studies where the same thing happened; they gave people a web site mocked up to look like their bank, but with the standard "broken image" in place of the picture, and most people went ahead and logged in anyway.
@Kyralessa, you are very correct - it doesn't help very much at all, it is trivially bypassable - for ALL implementations (at least those I've seen...). Worse, it provides a false sense of security, often causing users to disregard the (lack of) SSL certificate. This is what happens when you have non-security-experts try to design a "security" solution...
@AviD: and you thought banks are where the security experts works at...
Lie Ryan
@Lie, no I didn't think that :). After much experience consulting to them, I realized that for the most part, their in-house security "experts" are *usually* either clueless or low-cost providers...
+5  A: 

Saw a door that somebody forgot to lock once...

Alternatively, saw some JavaScript which executed some SQL via an Ajax call. Only problem was that the SQL to be run was rendered with the page and then passed to the service...

A free AJAX SQL server... sounds like fun!
+1  A: 

The biggest security hole is that when web developer designed open-password field sign-up form. The password field shows what you typed and not blank it out. This way when you're signing-up form on public computers could see what you typed on password field. Many websites do have sign-up form like this.

I'm sure there are few website with low-security that password and logins of users are easily accessible to admins.

Some experts believe that password masking is bad for usability.
And what about typing passwords in public places ? presentation places ? near your kids, friends ?
Having a choice is good. If I had to choose one overall policy, I think I'd have to go with blanked out. It also depends on what the site is.
David Thornley
IIRC, Vodafone had an asterisked out PIN entry field, but showed the PIN on the following page.
Tom Hawtin - tackline
@Tom: To paraphrase a Babylon 5 quote: Ah, clumsiness and insecurity in the same package. How efficient of them!
David Thornley
That's not really *that* bad. I'd worry more about whether it was transmitted as plaintext, or how data was stored.
`<input type="checkbox" name="show" id="show">Show Password</input>`?
Jon Purdy
@AJ: Some experts believe passwords are bad for security.
99% of the time I hate the asterisked password fields. They make typing long passwords difficult. But it's that 1% of the time that I'm really glad they exist.
Chris Lively
+17  A: 

An online DVD-rent-shop in Sweden sent pure SQL-statements in the querystring.

If you selected for example category "Comedy" in the menu-frame, it then sent "select * from movies where category=2" as querystring to the movielist-frame, that then executed the SQL-statement and showed all movies matching the criteria.

Same thing when adding movies to your order.

Just change the query to "delete * from movies" and "Delete * from orders" would make the day for that company.

Assuming, of course, that the app had permissions to do that. I wouldn't be surprised if it did, but it's perfectly possible to grant somebody select permission on a table and nothing else.
David Thornley
Even if the db permissions were limited, you're still suddenly vulnerable to any db-specific exploits, (and most people don't religiously upgrade their db software) and probably denial-of-service attacks.
Eamon Nerbonne
SQL Injection ?
I've had to reject a design where SQL is stored on a web page. You would have thought it might have been thought through a little better.
Tom Hawtin - tackline
Even without all that and with the permissions locked down correctly, it's still **very** vulnerable to someone doing a ridiculously complex *ad hoc* query a few times and causing a DoS attack.
Donal Fellows
+124  A: 
This is awesome.
Kaleb Brasee
+106  A: 

I saw this one in The Daily WTF.

<script language="javascript">
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
    if ("buyers") { 
        if (form.pass.value=="gov1996") {              
        } else {
            alert("Invalid Password")
    } else {  
        alert("Invalid UserID")

Nothing can beat this IMHO.

I think this may be not as stupid as you think. This trivial password might work like the button "yes, I am from the federal governemnt" with the difference that a person who tries to misuse it, if caught, can also be prosecuted for "providing false credentials" (or how they call it?)
ilya n.
I saw the exact same kind of "authentication" in a cheap US Robotics router. I brought it back to the shop immediately, asked for a refund, and never bought anything from US Robotics again.
Remy Blank
ilya : It's Javascript, so it's visible to the user. After seeing that, you can just go to, bypassing any kind of control.
Don't worry, as long as the web site is copyrighted, the DMCA provides 100% protection. You're not allowed to "circumvent" the Javascript.
Steve Hanov
@Steve Hanov: You have an interesting definition of "circumvent" If I type that url into my browser... or even copy/paste it... I'm not bypassing anything, I'm just using my browser to go to an address I put in my address bar. Which is one of the intended purposes of a web browser.
R. Bemrose
congrats, you're innocent, too bad it costs 300k to convince a jury that
Dustin Getz
@Dustin Getz. It costs 300k to prosecute a case, too. That is why software patents sometimes are ineffective (costs to much to sue everyone)
@Steve if you use an anonymous terminal, like an internet cafe or library, no one would be able to find you. If a store leaves some product outside, it's not going to be there in the morning. The cops wouldn't do too much more than fill out the paperwork, because they have better things to do than cover someone else's stupidity.
Elizabeth Buckwalter
The comment is very right though: `This Script allows people to enter`.
A client already asked for a "security" in javascript like that, knowing that you could just make a "view source" to have the password. I think it was required by the law to have a "restricted area" for the kind of professionals that were using the site.
When I was in middle school I built a website for my Star Craft clan. I did this exact thing, except I had multiple users and passwords. At the time it was "clever"...
Zack Mulgrew
When I was in highschool, the school had a system for accessing your grades by entering a student ID and PIN #. The valid PIN #s were stored in the javascript source on the page. To their credit, the PIN #s were encrypted, but they used a 'clever' home-brewed encryption that was no match for a bored teenager.
Dan Bryant
@R. Bemrose: So you've successfully argued that any internet browser can be classified as a hacking tool under DMCA.
+26  A: 

I'll share one I created. Kind of.

Years and years and years ago the company I was working for wanted indexing on their ASP web site. So off I went and set up Index Server, excluded a few admin directories and all was good.

However unknown to me someone had given a sales person ftp access to the web server so he could work from home, this was the days of dialup and it was the easiest way for him to swap files.... and he started uploading things, including documents detailing the markup on our services.... which index server indexed and starting serving up when people searched for "Costs".

Remember kids, whitelists not blacklists.

I think "whitelists not blacklists", while often good advice, is not the correct lesson to learn here. The correct lesson is "don't put private data on a public server". Also, "don't let sales people access the server".
Oh, the harmony between the answer and the avatar.
+452  A: 

From early days of online stores:

Getting a 90% discount by entering .1 in the quantity field of the shopping cart. The software properly calculated the total cost as .1 * cost, and the human packing the order simply glossed over the odd "." in front of the quantity to pack :)

John Stauffer
that is awesome.
This is a classic example by the textbook.
I found a site that still had this flaw a few months ago - I've e-mail them to point it out (I do have SOME morals ;) )
This is definitely an argument in favor of using a strongly typed system.
R. Bemrose
What's the site? I want a 90% discount!!!
@TWith2Sugars, was that _after_ you've ordered whatever you wanted to from them? ;-)
Maybe you should have requested a .10 percent quanity instead. ;)
Jeff Bezos mentioned that in the very early days of Amazon, you could have a negative quantity of books and Amazon would credit your account (and presumably wait for you to ship it to them). See 0:47 at
Jeff Moser
@John Stauffer: I have to know the site before I believe this?
Viktor Sehr
There were a few websites that you could "build your own" computer, and the way some of them worked is you could downgrade your computer from the base model by adding a product to your card with a negative price. When you finally got to the cart screen, you could buy multiples of them and lower the total price. A similar concept, really.
Cannot upvote it enough!
Would have loved to see the face of the customer who actually got delivered the .1 harddrives he paid for.
Also in the early days, I loved coupon usage tracked with cookies. Like Get ONE free Compact Disc, delete the cookie, use the FREE disc coupon again, delete cookie, etc., etc.
Ash Machine
Does anybody know shop where this works (confirmed)?
+166  A: 

I hope you can spot what's wrong here. (Terribly wrong, in fact):

String emailBody = "";

for (int i = 0; i < subscribers.Count; i++)
    emailBody += "Hello " + subscribers[i].FirstName + ",";
    emailBody += "this is a reminder with your account information: \n\n:";
    emailBody += "Your username: " + subscribers[i].Username + "\n";
    emailBody += "Your password: " + subscribers[i].Password + "\n";
    emailBody += "Have a great day!";

    emailDispatcher.Send(subscribers[i].EmailAddress, emailBody);

The last recipient was the happiest ;)

Are you talking about the fact that you store plain-text passwords or the fact that the emailBody is never cleared?I'm not even sure which is worse.
Kristof Provost
You mean not using StringBuilder? :D (Just kidding.)
@Kristof - I'm guessing he means the fact that the last user gets a list of ALL the users and passwords. :)
Don Branson
I like the remark at the end! ;)
I doubt this would ever slip through to the public
Aaron Qian
@Aaron: it easily could if the emails to be sent were a one-off kind of thing, and the shop in question did not have a good testing or review culture.
@Aaron: This stuff slips through to the public all the time. There's a slashdot article of this kind of think happening every week.
sending credentials over email is a nono, the default gmail settings send content in plaintext.
Dustin Getz
I made a similiar least I'm being honest about it :).When I first started programming I stored passwords in plain text and I also gave users a chance to "Retrieve their password"...its ok though it was an INTRANET app ;).
I absolutely *loathe* systems that email me back my password as part of the registration process. This has two flaws:1. They're storing my plaintext password somewhere within their system. If not their permanent user database, definitely their registration processing system.2. It was sent via EMAIL, either plain text or HTML, SMTPing its way through mail relays across the internet. There's a number of men-in-the-middle which could intercept this. At the very least, if you feel the need to send me emails with secure information, let me specify my public PGP key to you to encrypt it!
Jesse C. Slicer
I used MD5 hashes to protect the passwords in a database once. But after I ran the results though a rainbow table and matched about 50% of the passwords... I figured it was a good time to add a salt.
Matthew Whited
I did something similar,except I used a PHP mailer and forgot to clear my recipients array every time I looped through a group of recipients. So instead of an insanely long email sent to the last guy, the first guy got spammed 200 times (would have been more, but we hit out cap on email from our ISP)
Peter Turner
So. Much. Fail.
@Kristof - I agree the password probably wasn't encrypted, but can you be certain just by looking at that code? The property accessor might have performed the decryption.
The day after reading about emailing plain text passwords, I was emailed my password in plain text. Gawd!
Elizabeth Buckwalter
@peter +1 for admitting the mistake publicly :)
Elizabeth Buckwalter
And to think that's exactly 1 character away from what they wanted to do...
@Si if the password can be retrieved at all, it's not secure as far as I'm concerned (as a user).
Haha... that's hilarious and i sometimes do this too. He wasn't clearing `emailBody` he was just appending to it, so each user got the email and pw of every user above him ;)
Click Upvote
@Jesse: actually if you send out a plaintext password on registration then it doesn't mean it's being stored in that form anywhere. You just submitted it in plaintext over the net, the server received it, sent the email then hashed it and stored the hash in the database.
@DisgruntledGoat I was just about to mention that!
The terribly wrong thing is that Kristof got much more votes than Don's, by the time my comment is added:-) (Oh, forgot to mention ShdNx)
@Codism The second part of Kristof's answer was exactly what Don said, just less obviously
Michael Mrozek
Cannot upvote it enough.
And he didn't even use a StringBuilder. :)
@DisgruntledGoat really? I'd hope to goodness that any system that sends out emails is processing them asynchronously so that the main processing threads are not burdened with that. That usually means storing the emails in a database to be processed or using a queuing system such as MSMQ.
Jesse C. Slicer
@Jesse: That is really not a problem for the majority of web sites, sending an email is instantaneous. (In fact, most people will not be able to do asynchronous processing since you'd need control over the server.)
@DisgruntledGoat: I guess I've always been in control of my servers and when I need to send out mass emails to my userbase, I want to be able to control the priorities of those emails versus higher priority ones such as user registrations.
Jesse C. Slicer
Cant actually believe someone did this!!!
David Conde
It worked when I tested it with just me. :)
John K
Haha, I spilled coffee all over the desk, but it was well worth it!
Michael Foukarakis
+6  A: 

I inherited a client project to baby-sit: an ASP.NET project (built back on 1.1) that was 50% compiled DLL's (with no source) and 50% code-behind JIT compiled.

The entire site was supposed to be members only - except the original developer had built a back-door: simply submit the login form with a blank username and password, and you would find yourself logged in as a secret super-admin: do anything, see everything.

You guessed it: all of the authentication code was hidden away in the pre-compiled DLL. The worst thing was when I was informed "it was not on the list of bugs, and the client won't pay, so leave it". So I did, and it's still live today.

If you could change the codebehind you could have fixed that in one line.
How did you fix it? Reverse-engineered the DLL?
Aaron Qian
You could also use ildasm and ilasm to fix it :)
Matthew Whited
The site was half code-behind, half not: any attempt to add a vb/cs file to override a compiled page sent the site south, with crazy home-brew licensing and dependency exceptions. IN the end I wasn't allowed to fix it, even if I could of - no money, no work.
Ouch! I never understood why having a blank username and password is the way to go for back doors. It doesn't even make sense to me.
+22  A: 

How about a online document manager, which allowed to set every security permission you could remember...

That is until you got to the download page... download.aspx?documentId=12345

Yes, the documentId was the database ID (auto-increment) and you could loop every single number and anyone could get all the company documents.

When alerted for this problem the project manager response was: Ok, thanks. But nobody has noticed this before, so let's keep it as it is.

I really hate that attitude, been getting it a few times. Makes me want to let others do it just to teach 'em a lesson.
I finally got the go-ahead to fill a hole like this at my last job... after months of complaining about it.
It's not that uncommon to find websites that let you do this. You'll see a directory of recent or archived articles, but can't go back farther in the list than a page or two without having to log in. Just open the first article, and change the right parameter in the url to any post number you want to see any article.
+40  A: 

Not changing admin passwords when key IT employees leave the company.

or leaving the factory defaults like admin/admin (as well or especially in the hardware)...
I've got one worse -- I left a university after having been strung along, with the directory telling me they were creating a higher grade job for me after I had graduated, but I later found out he told my manager they were *not* to promote me. Needless to say, I wasn't happy about it. I specifically told my manager to change *every* password I had access to. The week after I left, I get an e-mail from my manager with the root password, 'just in case I needed it'. I contacted the sysadmin to make sure it was changed again, as I didn't want to take the fall if something went wrong.
@Sophomore: I recall in Feynman's biography him commenting that many of the giant, ultra-secure safes housing the Manhattan project secrets were left in the default combinations.
I can just imagine a USSR spy getting to the safe and trying everything he can think of to crack the safe, "Damn! I can't crack it. Wouldn't it be funny if I could, score one for Mother Russia!"
Changing admin passwords when people leave is a reasonable thing to do, something that should just be part of the normal process - but failing to change them is not a huge security hole. The reason for that is that "key IT employees" could always leave backdoors for themselves if they so chose. You're basically at their mercy, relying on their honesty.
Can't smile while reading this, I was working as an IT technician a summer at a very well known swedish company, and when I returned several years later to work as an engineer, I had some problem installing some software. Out of blue I remebered the old admin password, and voila! it worked =)
Viktor Sehr
@Brian I remember watching a documentary where they said the USAF left the nuclear missile codes as 0000000 because they didn't want to not be able to use them.
+9  A: 

Stocking credit card information in a database with no encryption ( WHOLE information: number + expiration date + cryptogram). In addition, the database was used as a kind of CRM, so lots of sales people can access it with a not-secure-at-all password. (Who haven't changed it since I left the company 3 years ago.)

Antoine Claval
I'm sure there are quite a few of us who have worked for companies which (illegally) store credit card details.
Yeah, I was going to say, not only is that a security issue, but ILLEGAL.
Brandon Hansen
wow I get pissed off everytime amazon tries to remember my creditcard number... DON'T HELP ME... I don't want my account saved on your servers.
Matthew Whited
@Brandon Hansen: I don't know that it's illegal in the USA, but it is grounds to have your ability to handle Visa cards revoked immediately.
David Thornley
+8  A: 

I don't know if this is the worst, since I've seen some that were pretty bad, but:

Years ago, a place I worked at brought in a system called FOCUS. Don't know if it's still around or not. It's great for reporting, and we developed and taught perhaps a thousand or two non-IT people how to produce their own reports. Very handy. They could do the basic reports, some could do the medium-hard stuff, and IT could help with the harder stuff.

All of the data for reporting was copied regularly to shadow databases in FOCUS' own format. For the more sensitive data, we set the secure option, which encrypted the data. All well and good.

So, one day my boss calls me in, and we've lost the password to one of the sensitive databases. It's going to be hard to reproduce the data in this case, so he asks me to see if I can break the security. I had no experience as a hacker, so it took me about 5 or 6 hours to hand him the password. I started by creating some test files, and encrypting them with different passwords. I found that changing one character in the password would change two bytes in the encrypted file, specifically, the high nybble of one byte, and the low nybble of another byte. Hmmmm, says I. Sure enough, they stored the password somewhere in the first 80 bytes of the encrypted, but obfuscated the password by splitting the bytes into nybbles, and storing them in predictable places.

It didn't take long after that to write a REXX script that ran under the VM/CMS system and would tell us the password of any encrypted database.

That was a long time ago - in the early nineties, and I'm sure they've since fixed this problem. Well, pretty sure.

Don Branson
+14  A: 

Not strictly a security hole, more of a "feature" that lots of rookie server admins didn't know/care about at the time.

Around 1999-2001 I had lots of fun with Frontpage and unlocked Frontpage server extensions installed on public facing websites.

When you had Frontpage installed you got this nice handy "Edit in Frontpage" button within Internet Explorer.

When visiting a site, e.g., If you clicked on the "Edit in Frontpage" button in Internet Explorer and the server admins hadn't done their job properly then Frontpage happily opened up the full directory structure of the virtual directory and allowed you to read/edit the contents.

This worked on many sites from little one man band setups to bigger public organisations.

I always fired an email off to the "webmaster" when found an open server and I once got a £50 gift voucher from an online retailer for alerting them to this.

Shocking stuff really.

DISCLAIMER - I need to point out that Frontpage was on the standard build PC I was given in those days, not of my own choice!

And to this day I'm still asked "is Frontpage good enough?" :s
The Wicked Flea
It's refreshing to hear about a company that actually *thanked* someone for alerting them to a security hole instead of trying to *blame* them for it.
Well, I didn't tell you about the 2nd time I found a similar hole for a potential client, I naively thought they would be happy to know about such a glaring hole, but apparently not - we subsequently did not win this business – no £50 voucher that time!
About a year ago I was asked to check over a website being designed for an old client by another outfit. Naturally I looked for vulnerability to a SQL injection attack - and the site was wide open. So I documented what I'd done and how to fix it, only to have the boss of the company on the phone to me half an hour later screaming at me that I was a hacker, he was reporting me to the police and and he was off to see his lawyer so he could take me down for everything I'd got. He rather sheepishly backed out a couple of days later when I imagine someone talked some sense into him.
This seems to me like a good way to filter out potential clients. You don't want to sign a contract with someone like that and get burned later...
+100  A: 

At a university no less, which will remain nameless, they had all their action queries being passed through the URL instead of form posted.

The thing worked a treat until Google Bot came along and ran through all of their URLs and wiped their database.

Good old SQL Injection by Design. I've worked with reporting functionality that has had that "feature" built in.
LOL, sue google then
Aaron Qian
@ICodeForCoffee: where's the SQL injection here? This is just confusing the purposes of GET vs POST. It's a fairly common mistake by novice web devs. I recall reading a Daily WTF article about this exact problem.
Didn't an very early version if Wikipedia have this problem? They had links which would revert edits or something.
The real problem here is the Googlebot could wipe the database without ever authenticating.
Isn't this how ASP.NET MVC works? by providing everything as REST-type interfaces with nice little urls? Like
Lasse V. Karlsen
@Lasse: No. Anything that changes data is a POST which redirects you to a GET (aka something you can type in the browser). Your link just shows you the html form to update the post.
Hope they were able to retrieve them from google cache.
I agree that this is a novice mistake, A lot of my older admin interfaces use GET to modify data. However these are at least hidden behind a login.
Neil Aitken
LOLL... I can't LOL enough on this one =)) damn google!
Andrei Rinea
+4  A: 

In 2007 a DOD website for a fairly large agency had a misconfiguration resulting in the IIS web server serving up raw code and the home page had hard coded username/password and database server information in it. Fortunately it was caught rather quickly but I did witness it and it was extremely shocking. Needless to say their website was taken offline by network engineers until the developers fixed the bad code.

Frank Hale
+6  A: 

I used to work for a point-of-sale company. Their software was used by a lot of pizza joints.

It was up to the customer to change the default passwords. The default information is printed in the user manuals and such. :)

Well, some kids who worked at one of these pizza joints guessed they hadn't change the root password (Unix/Linux based system). They then proceeded to buy him and his friends free delivered pizza to his house for close to a year before the pizza joint noticed. It makes me laugh everytime I think about that job. :)

+108  A: 

Once noticed this on the URL of a web-site.;param2=y&amp;admin=0

Changing the last parameter to admin=1 gave me admin privileges. If you are going to blindly trust user input at least don't telegraph that you are doing it!

It's a handy feature ;) Haven't you seen WarGames? Something like "every good developer adds a backdoor to their system" hehe.
+27  A: 

A Norwegian pizza delivery had a security hole where you could order negative amounts of pizzas at their new and shiny internet portal and get them for free.

The other security hole is the employees, right? "Well sir, the computer says you get 15 pizzas for free, so... here you go!... do I get a tip?"
Nathan Long
AFAIK pizzas was actually delivered, probably due to some advertising campaign or whatnot.
Pizza delivery guys probably don't give a rats ass about that kind of stuff. And they can change the price. Last time I ordered from that company the guy forgot the soda, and had to go back and get it. He gave med 75% rebate since I had to wait for my soda. Hence I got a soda, large pizza and a DVD for less than the price of the DVD alone.
...your pizza place gives out DVDs too? O.o
As a former pizza driver... no, we didn't give a rats ass about that kind of stuff. And neither did our managers.
Wouldn't the delivery guy come by to *collect* the pizzas you're *selling* them?
Jon B
Wow.. and the delivery guy had to give you the tip? =))
Andrei Rinea
+2  A: 

The Chinese filtering software -- Green Dam's official website has server mod_status info wide open for public amusement.

For the curious:

For some reason, you might want to press stop button shortly after loading, or else it just says connection reset for some reason...

Aaron Qian
Any idea why the connection gets reset?
+3  A: 

Plaintext shipment of username list to the browser for JavaScript autocomplete, coupled with the ability to view users data by tweaking the URL querystring with the unique user id, which could get gleaned from said autocomplete feature.

Russell Steen
+2  A: 

During a time I was having... creative differences... with a community site that I helped build, one of the other coders added a new PHP file that lists files in the approval queue that also had a link to delete each file.

Unfortunately, this script used the whole security through obscurity concept.

Somehow, a web crawler found this page and followed all the delete links.

Needless to say, scripts that modify metadata or delete files now require logins.

P.S. I had nothing to do with it and wasn't even aware of this script's existence until one of the then-current staff told me what happened. I actually work for this site again now, in part to make sure things like this don't happen again.

R. Bemrose
+392  A: 

The least forgivable security hole, and unfortunately a very common and easy to find one at that, is Google hacking. Case in point:

It's amazing how many pages on the Internet, government sites in particular, pass an SQL query through the query string. It's the worst form of SQL injection, and it takes no effort at all to find vulnerable sites.

With minor tweaks, I've been able to find unprotected installations of phpMyAdmin, unprotected installations of MySQL, query strings containing usernames and passwords, etc.

Good find !
George Stocker
This is unbeliveable!
Gary Willoughby
...Oh. My. Gosh.
Nathan Long
You have no idea how tempted I am to bring down a few of these sites! Luckily for them I have good impulse control!
Why would anyone do this--it has bad idea written all over it?
This is a good example of writing flexible code. When writing links you can do anything you want easily! Hurf durf.
Stuart Branham
Oh dear God, how inconceivably stupid. That would be me marching that developer to HR with a box in hand.
little Bobby tables strikes again...
OMFG ... next time I have a bad day, I go drop some tables
It's amazing what Google can find. On my site I have some pages with no links to them and it still manages to find them.
Ben Shelock
What I really like about this example is that the first result is from an Oracle blog.
Ravi Wallau
To be fair, several of those (including the first result, @raviaw) merely happen to have those words in the page title and are not security holes at all. But still...
Michael Myers
@mmyers... I see... It is funny anyway :-)
Ravi Wallau
Sorry, I do not get how this works. Would you explain for the dumb?
Hamish Grubijan
@Hamish Grubijan: There are some 'web developers' out there which are passing there queries directly in the URL (GET), without re-validating it on the other site. You can basicly pass everything in that URL and it will get executed on the database.
+3  A: 

Years ago a school hosted a learning platform website with the ability to upload .PHP files to the website which you could execute afterward, so they gave you full access to the whole website. Haven't been discovered by any other student and I think that mistake is still present.

+1  A: 

News Headline that's in the spirit of this thread... on today's front page of /.
ISP Emails Customer Database To Thousands

+3  A: 

A couple of years ago a friend gave me an old axe-head that he'd found, hoping to be told it was some ancient artefact. So, a search on Google for some likely website to help in the identification gave me a link to a museum website somewhere in the Midlands (UK).

Except the page it dropped me on gave me full administrator rights over the entire site. Being a responsible type, I changed the name of the account owner, just so they'd know I wasn't talking rubbish and sent them an email suggesting they plug whatever hole it was that let me in, before somebody more malicious found it.

Needless to say I received a very thankful email from site owner, who'd been assured by the developer that the fault had been found and fixed. Although you have to wonder about the abilities of someone who's that careless.

When you find a security vulnerability like this, _never_ touch anything, go straight to the reporting phase. You were lucky that this was a sensible person who thanked you for your help. Might as well been the type that calls the police and sues for damages.
Kudos to wds. About a year ago I was asked to check over a website designed for an old client by another outfit. Naturally I checked for SQL injection attacks and the site was wide open. So I documented what I'd found and how to fix it, only to have the boss of the company on the phone to me half an hour later screaming at me that I was a hacker, he was reporting me to the police and and he was off to see his lawyer so he could take me down. He rather sheepishly backed out a couple of days later when I imagine someone talked some sense into him, but some people are stupid and vindictive.
And I should emphasise that I didn't actually change anything, only demonstrated that he wasn't sanitising his inputs and that the presence of a judiciously place character or two crashed his scripts. To be fair he himself wasn't a programmer (but some sort of marketing drone) and I suspect when he pointed it out to his programmer they tried to cover their back. It was never realistically going to go anywhere, but still a PITA at the time.
+83  A: 

Surprised no one has brought up social engineering, but I got a kick out of this article.

Summary: malicious users can buy a few dozen flash drives, load them with an auto-run virus or trojan, then sprinkle said flash drives in a company's parking lot late at night. Next day, everyone shows up to work, stumble on the shiny, candy-shaped, irresistable hardware and say to themselves "oh wow, free flash drive, I wonder what's on it!" -- 20 minutes later the entire company's network is hosed.

Which is why in many places (including where I work), flash drives are banned.
Michael Myers
Autorun is evil.
Mark Ransom
**@mmyers:** banning flash drives is not the good approach. Break the autorun/autoplay.
Read some time ago, another approach (from the floppy disk times). Live a boot infected floppy disk labeled "Accounting data - confidential" in a corridor of the office and wait 5 minutes. Irresistible!
Fortunately, I can always boot up from a Linux Live CD and examine the flash drive from there.
David Thornley
Great, i like it
Rakesh Juyal
@Jay - Unfortunately, how many people would look at the files and then double click on them "to see what they do"? Banning is a necessity many of times because people don't think.
I remember reading somewhere about this trick! I just can't remember where...
Andrei Rinea
I always wipe new flash drives with random bits and check them to make sure the flash drive actually has the advertised capacity.
Joey Adams
It actually sounds pretty foolproof from the point of view of the attacker. The bigger the office, the slower you can be with the drops, and you can have files that people from that office would want to click on. Computers are looking worse all the time. iPads forced on all but admins is the way to go. Locked down software, cheap, no usb.
Tom Andersen
+5  A: 

It wasn't that bad in my case, because the data wasn't that sensitive:

I was given an Excel file overflowing with macros to update, each sheet was locked and the macros section was password protected. I was given the passwords, but I figured I may as well try to crack it anyway.

I found a program to do it in about ten minutes, and most of that was probably just download time. What was this miracle product that can break through Excel security so quickly and easily? OpenOffice.Org.

I'm not sure if Office 2007 has improved upon this at all, but it scares me how many non-technical people are probably using Excel for manipulating sensitive information and thinking it's secure. Then again those types of people probably don't even know about the "security" features it offers anyway.

+27  A: 

I think the blank username / password field for superuser access is by far the worst. But one I have seen myself was

if (password.equals(requestpassword) || username.equals(requestusername))
    login = true;

Too bad one operator makes such a big difference.

Stefan Ernst
wow... that's cool
Matthew Whited
wow, i naturally have a compulsion to fix it
+3  A: 

I was browsing a shopping website, and when I typed in my email address, I noticed the address entry page just had in the URL "?nOrderID=301".

Alight then. I change that number to 99, and guess what? I get the name, address and phone number of some lady who lives in Bend, OR.

I did email the site admin a few weeks ago, and he didn't sound very happy about it, but it still hasn't been fixed...

That, and for a while the company's I work for entire employee information list (everything about the employee from address to SSN to pay) was stored in a password protected Access database.

Use your favorite search engine and look up how to recover access database passwords. Yep.

Drag and drop it into this, and you get the password. A five letter dictionary word.

I have to hold my hands up in relation to the first one - on one of my first e-commerce sites I made the same mistake; luckily my boss noticed it before any users complained...
Mark B

Last year, I discovered that the website used to handle our checks/statements for the company I was working for was riddled with SQL injection holes.

Needless to say, they fixed their holes pretty quickly.

Not really a great answer, isn't this like every other half ass written application out there? (:
+3  A: 

For the master list of security holes (and other computer risks) visit

Jim Garrison
+1 Fantastic link Jim!
+7  A: 

We had a customer that made it a requirement to auto-login based on specific HTTP referrer's. So you and I have to login, but if you clicked on a link from a specific website, you are automatically logged in under a default user.

And one can forge the referer(sic) string easily and does not need to come from the actual website.
+3  A: 

We had an old computer cluster that wasn't running in one of the labs I worked in. A couple undergrads thought it would be fun to get it up and running so they could learn a little parallel computing. Well they got it running and it turned out to be pretty useful.

One day I came in and was checking out the stats...It was running at 100%. Now this was a 24 node cluster and there were only 3 of us that ever used it so it was a little strange that it was running at this load. I started playing with it, trying to figure out what was loading it...turned out someone had gained access and was using it as their own little porn server and spammer. I asked the undergrads what kind of security they put on it, they looked at me and said "Security? We didn't think it would need any."

I threw a password on it and that was that. The person that was using it as a porn server turned out to be a friend of one of the undergrads.

sounds like someone was getting kick backs but didn't say anything when he was busted.
Matthew Whited
+4  A: 

My vote's for Ken Thompson's "back door" into UNIX.

Here's a link where someone's learning more about it:

The reason I think it's the worst is that this was back in the day when judges and such thought the best way to make progress against this sort of thing was to discuss it openly.

All that did was teach a bunch of script-kiddies a new and very powerful trick.

As opposed to security-by-obscurity? I mean, it's not like there are any examples of problems with that in these responses.
I'm not sure I understand your point. The technique KT used was at the time, and for most people remains today, totally non-obvious. Explaining it clearly simply adds another potential power-tool to the toolbelt of your typical non-innovative hacker.
@pbr you're essentially dredging up the entire "Is full disclosure good or bad" security argument. Yes, publishing a non obvious exploit makes it possible for script kiddies to exploit it, but it also allows administrators and users to be aware that their programs may be unsafe, and it gives you more people who are able to come up with a solution (and safe guards to future problems). You should read any of the previous debates out there on full disclosure if you want arguments much better than mine.
Not to mention that writing a KT back door is beyond the ability of the average script kiddie. It's also trivial to find an exploit like this if you have two independent C compilers (neither has to be trusted, except not to be rigged in the same identical way).
David Thornley
+5  A: 
public class AuthenticationServlet extends HttpServlet
    private String userName;
    private String password;

    protected doPost(HttpServletRequest req, HttpServletResponse resp)
           throws ServletException, IOException
        userName = request.getParameter("userName");
        password = request.getParameter("password");

Apparently as someone figured out during automated load testing, singletons and lack of synchronization can cause security issues.

Vineet Reynolds
+7  A: 

Once I worked with a firm to which I had to share information through encryption. They provided me with a GPG key pair - both their public and private keys instead of just sharing the public key and the info that was highly confidential.

I had to explain them that this process was wrong and they realized that they had been doing this for a long time.

+5  A: 

The worst security hole I have ever seen is when people don't use a master password on their firefox account even though they are having it save all their passwords. This means that anyone who can get to your account files can steal all your passwords. USE A MASTER PASSWORD.

yeah but sooo many people who work on a network at work/school where there any employee admins can pull up the instance of their windows user account
Tell you what. If you can get onto my account at home, you can get to my Firefox files, and then you can get all my non-critical passwords. I think that's safe enough.
David Thornley
the key being that you only save the 'non-critical' passwords..
Not really necessary. Encrypt your hard disk and place the firefox files there. Of course, never leave an unlocked system alone.
right but that's not the point, the point is that the average user does not encrypt their files nor do they know of this flaw
@khedron sudo nautilus anyone?

I've heard that Turbo Tax used to send your SSN in a plain text file when you submit your return electronically. That doesn't seem like a great idea.

I also know of a company that stores credit card info in plain text CSV files on the desktop. They then get sent via FTP to the payment gateway....

+91  A: 

The worst security hole I've ever seen was actually coded by yours truly and caused the Google Bot to delete my entire database.

Back when I was first learning Classic ASP, I coded my own basic blog application. The directory with all the admin scripts was protected by NTLM on IIS. One day I moved to a new server and forgot to re-protect the directory in IIS (oops).

The blog home page had a link to the main admin screen, and the main admin screen had a DELETE LINK for each record (with no confirmation).

One day I found every record in the database deleted (hundreds of personal entries). I thought some reader had broke into the site and maliciously deleted every record.

I came to find out from the logs: The Google Bot had crawled the site, followed the admin link, and the proceeded to follow all the DELETE LINKS, thereby deleting every record in the database. I felt I deserved the Dumbass of the Year award getting inadvertently compromised by the Google Bot.

Thankfully I had backups.

Matias Nino
This one has been mentioned many times here already
Guess it shows how common a mistake it is.
Aye, but with the added twist of the Google Bot hitting the delete links? I think not! :)
Matias Nino
That's why you should always POST for changing actions.
awesome story! Thanks for sharing. Upvote for posting something YOU did.
Patrick Karcher
@recursive: true, but if the directory is not password-protected, it doesn't stop a human deleting everything.
I've had this problem with browser plugins that prefetch links. I once worked for a blogging site, and we were puzzled for days when one user reported that all comments on her blog would mysteriously vanish.
to complete @recursive's point : and this is why POST are not followed by SearchEngines and POST results are not cached.
Andrei Rinea
+9  A: 

We had a nice one at a store I used to work at. Doors to non-public access areas had keypads, so you were supposed to have to enter a pin code to gain access. However, you could just press # and the doors would open, a fact that we liked since it was much easier to hit # than a 6 digit pin code.

+2  A: 

Went to a pay site for car dealers that charged a lot for a membership. Just tried "test" for the username and "Test1" for the password. I was in.

+1 I've worked on sites where I had to manually delete scores of test accounts with insecure credentials.
Jon Purdy
+3  A:

Alexander Temerev
Interesting that they haven't filtered .svn ( also works) but is this a security hole? No credentials would be in there.
Other sites left source code to their web apps their. A List Apart (fixed now) was one of the higher profile ones.
+1  A: 

Default login credentials, especially when the are admin/root and password.

Martin Spamer
+1 Hope you don't mind me adding the link to dpl.
+58  A: 

Microsoft Bob
(Credit: Dan's 20th Century Abandonware)

If you enter your password incorrectly a third time, you are asked if you have forgotten your password.

But instead of having security, like continuing to prompt for the correct password until it's entered or locking you out after a number of incorrect attempts, you can enter any new password and it will replace the original one! Anyone can do this with any password "protected" Microsoft Bob account.

There is no prior authentication required. his means User1 could change their own password just by mistyping their password three times then entering a new password the fourth time -- never having to use "change password."

It also means that User1 could change the passwords of User2, User3... in exactly the same way. Any user can change any other user's password just by mistyping it three times then entering a new password when prompted -- and then they can access the account.

Dead image urls?
Svish: they are just preventing hot linking.
This may be apocryphal.
Andrew Grimm
This is the same behavior as Windows itself when a computer is not administered by a domain. Even on Windows Vista Ultimate, you can reset a password at any time. I am guessing that denial-of-service is considered a bigger threat than unauthorized access; especially since you can get most stuff just by re-mounting the drive elsewhere anyway.I believe the purpose of the password in this case is for intrusion *detection* rather than prevention.
Jeffrey L Whitledge
I can see the images.
Aaron Bush
@Jeffrey: Thing is, once the black hat has physical access, it's pretty much "game over". If you want to protect against that, you need serious encryption (as well as ways to scan for hardware and software keyloggers, etc.).
David Thornley
Someone wiser than me pointed out this is just good threat modeling. 'Bob' was for home use in an non-networked era and you were FAR more likely to suffer an attempted DOS from your little sister or a hangover than from some burglar. Bob let you know that your account had been accessed (because your old password no longer worked) but didn't try to do more.
My wife just saw me looking at this... Her:"Oh my gosh! What program is that?!" Me:"...Microsoft Bob?" Her:"I *loved* Microsoft Bob!" *Sigh*...
Tim Goodman
Ehm, Microsoft Bob was considered to be a start-up aid for computer newbies. The target Windows was Windows 3.1 which was/is not secure as you maybe know. So why should Bob be better? Even in contrast! People should always have a feeling of success. And if they've lost their pass they should have an easy way to make a new one. I think the whole password stuff was only there to make people accustomed to the password thing in computers.
@ChristianWimmer - Sounds kind of like giving people a backpack marked "Parachute" so they get used to the feel of one on their back, but without telling them there is no parachute in there.

In PHP this was in the first include file:


It allowed overwriting of variables that were not called by _GET or _POST.

A friend of mine once knew of a site that passed SQL queries as GET arguments. You know some people had some fun with that.

+1  A: 

The worst security hole is to use Internet Explorer's option to remember your passwords. What people don't realize is that tools such as this one by Nirsoft can reveal all your passwords.

Why only IE? You can decode Firefox's password file as well. Chrome goes one step further - it's memory of form fields is held in a plain text file, so if you've typed in a credit card number into a field where the site developer didn't turn autofill off ...
@blowdart - if you use a master password with firefox, the password file is encrypted with the master password as the key. See
+3  A: 

At my first job I started out as an intern in the IT Security department. I was tasked with automating network and application access to various user accounts as each user moved around to different departments / roles. That being said I had access to some basic tools, such as Query Analyzer, and just a few databases, but not much else. The company generally kept everything locked down so there were always permissions to reset and grant and such.

At the job all part time people were given and required to use a small VB fat client application to track hours worked, and at the end of the week a button became available to show the logged in user the amount of hours that they had worked for the week and the amount that they would be paid that week.

Out of sheer boredom one day I stumbled across the directory that the small time tracking application resided in on the network, and noticed there was only one other file besides the EXE in that directory, a settings.ini file.

Sure enough, after opening the file there was the connection string in bright shining plain text; user, password, database name, server and all.

At this point I was thinking no way would this be the real information, but after firing up Query Analyzer, and entering the ini settings I was in to the main production database that had every piece of data anyone would ever need to give themselves a raise. Full read and write access to boot.

I ended up showing my boss a query of who made what and he calmly told me to forward it to the director of HR.

Let me tell you I have never had a faster, in person response to any other email in my life.

The next day I came into work the time tracking application had an update, and alas no more settings.ini file.

They probably just hard-coded the credentials in the exe :-)
lol, the guy must have sprinted to your office 5 seconds after getting the email...
+5  A: 

The worst I personally found was at a university which used machines running X for all the systems (including professors' offices). A single server hosted all these X sessions...

Amusingly, you could launch a new X application (clock being a favorite, but any X application would work) and choose the terminal it was displayed on. With a quick script, you could launch it on every computer on every lab/office on campus...

Of course, the application which really exposed this security hole was a fake shell login, the inputs from which were recorded to a file.

It ran for a week and scarfed up hundreds of student and professor usernames and passwords, and generated a couple of EXTREMELY unhappy administrators.

+3  A: 

In signed code:


(You can google code search for that.) Removes all Java security restrictions from all code running in the process. Possibly not thought through very well.

Tom Hawtin - tackline
+8  A: 

Windows 95 and 98 had the best bug ever. If you just pressed cancel you would be logged in with admin priviliges :) Had a great time at my dads work back then :D

haha i remember this
actually, IIRC, that was your password to get on SMB shares and the like. it was never meant to serve as authentication for the local machine.
With Win9[58], there wasn't anything like "admin privileges", because every user had full, unrestricted access (the little toggle in Control panels->Users notwithstanding, that was basically eye candy).
This is not a security hole. What that login screen actually did is unlock your "password list" (.PWL) file, which stored passwords for network shares (and possibly some other passwords). If you didn't care about the password list then it was perfectly fine to hit Cancel. As already mentioned, there was no local authentication at all, let alone any "admin privileges".
@Evgeny: Isn't the lack of local authentication (and of accounts with lesser privileges) a security hole by itself?
Vinko Vrsalovic
+1  A: 
"select * from LoginMaster where UserId='" + txtUserId.Text + "' 

                           and Password='" + txtPassword.Text + "';"

I have seen this in a production web site, which is running MLM business. Above Sql Statement is VERY VERY vulnerable to SQL injection.

I will also list here HACME BANK. According to the site Hacme Bank is :

Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software. Hacme Bank simulates a "real-world" web services-enabled online banking application, which was built with a number of known and common vulnerabilities. This allows users to attempt real exploits against a web application and thus learn the specifics of the issue and how best to fix it. The web services exposed by Hacme Bank are used by our other testing applications including Hacme Books and Hacme Travel.

Perhaps they should rename themselves: Hackme Bank.
Eduardo León
@Eduardo: I think that's the point. It's a pun.
Well, at least it's not `... AND password LIKE '" + $pass + "';` No, I'm not kidding...
@Bobby: What about the number of people who think they can defend against that sort of thing biting them by putting javascript in the browser to remove all `%` characters before submission? :-/
Donal Fellows
@Donal Fellows: You mean [similar to this]( Yeah...there are too many developers which just develop their applications, but do not evolve themselves. :/
@Bobby: Not exactly. I was referring to the tendency of some software manufacturers (naming no names, but I'm sure you can think of candidates) to assume that only their clients access their servers, despite the overwhelming amount of evidence to the contrary. Of course, they're not the only offenders.
Donal Fellows
+3  A: 

My bestfriend's brother just finished his studies. He claimed a few days ago to everyone around he's a "webmaster" and "webdevelopper". I told him his sites were bad and unsecure. "Hack them" he answered. 10 minutes later I sent him the whole source code of his 4 sites :) He was doing something like

< ? include $_GET['inc']; ? >"

The more cheeky you are the more prone you are to attacks :)

Olivier Pons
+2  A: 

On some Unix machines (certainly all SunOS) you could link a setuid shell script to a file called "-i". The shell script would interpret the filename as it's first argument and run "sh -i" = an interactive shell, with permission of whoever owned the setuid file.

Since most setuid shell scripts ran as root, to give you permission to do something that needed root access like eject a CD or load a tape. This meant it was trivial to get admin on most university Unix machines in the 1990s.

Martin Beckett
+2  A: 

As a note for all readers, informed or otherwise: I just bought an 800 page, 2008 copyright book on the subject from a major - In the preface the author does a "hey, wait a minute .." in which it is noted in detail that more than one security professional with heavy credentials and field experience had been, ahem, rendered moot, ... big-time because they had seen some intrusion something or other that looked relatively novice.

Trying it as seemingly harmless there would be formal proceedings due to un-authorized activity. Being a professional, some of them were ruined.

The last intrusion I paid any attention to involved a major banking service that has been around so long that citizens rarely hear their brand name. All data was available un-enciphered across the shop - but, bizarre to the uninformed is that this banking entity had become a "clearing house" for ( i don't know statistics but it is over half ) of credit-card transaction processing for more than one retail-branded credit provider.

The intruders just placed a ( device ) at the drop. [ that's telco for the line from the world at the point of entry ] no fancy or sophisticated traffic monitoring tools, just the basic. I suggest everyone monitor all credit activity since Feb of this year: What was gained was valid cc#'s matched to valid names on currently active and valid credit accounts.


As usual, it's the person with no expertise in security running a shop from a position of management authority. The engineering term is "failure mode analysis" ...

Nicholas Jordan
I cannot follow the first two paragraphs.
+233  A: 

Social Engineering:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.


Bob Aman
awesome.. I saw it at first, and it's still a classic. :)
Marcus Lindblom
just how they worm their way out with the copy/paste ******** :D
I ROFLed. But not until the very end with the copy/paste thing :)
awesome. who was this genius :P
OMG, LOLZ......
Rakesh Juyal
Used to happen all the time on Runescape.
This particular exchange is highly unlikely to have actually happened (who would type "er" when they're trying to cover something up?), but funny nonetheless.
Michael Myers
mmyers: it's also highly unlikely someone is stupid enough to get rm -rf'd, but that definitely happens. I've seen it myself :)
Matthew Iselin
been there. done that. Way back when AIM was cool...I must have some dumb friends I guess.
David Murdoch
There is nothing more insecure than the idiots brain
+5  A: 
Select * from user where user_id = '*userId*' and access_level = 0 or access_level = 1;

If the query returned any rows, they were admitted to the system. Parentheses around "access_level = 0 or access_level = 1" would have done what they intended. Instead, as long as there was some user with an access_level of 1, anybody could get in.

+2  A: 

'Unified login' between two systems - which exposed the password as free text.........IN THE URL!!

This was a government project which had been 'offshored'. Luckily it was noticed v. early on. The scary thing is the developers didn't see that much of a problem with it - really makes you wonder.

"developers didn't see that much of a problem with it - really makes you wonder."Yes, my Team Lead tells me that is all they are shipping now. I looked at one piece of code and told them no one makes mistakes this stupid, not anyone. To which their reply was to ultimately lead me to realize we have a real problem as a society. I have one contact who is a Junior College engineer for telco - when we go to online banking from cellphones we are 0XDEADBEEF
Nicholas Jordan
I should point out that it was the offshore developers who didn't see it as a problem.
+3  A: 

This was a long time ago... but DEC's VAX system used to be shipped with the accounts:

login:SYSTEM password:MANAGER

and login:FIELD password:SERVICE

Most sysadmins would know about the SYSTEM account and most (but not all) would change it. However not everyone knew about the FIELD account which also had SYSTEM privileges.

+9  A: 

One of the utility companies I have doesn't use autocomplete="off" in their credit card form.

Sure, they don't store your credit card info (a good thing), but imagine how horrified I was when I paid my 2nd months bill and my browser offered to fill in the entire credit card number for me...

I see this all the time. Ugh! It's an underappreciated problem.
David Kolar
+26  A: 

When I first joined the company I currently work at, my boss was looking over the existing e-commerce web site of a prospective new client. This was in the fairly early days of both IIS and e-commerce, and security was, shall we say, less than stringent.

To cut a long story short, he altered a URL (just out of curiosity), and realised that directory browsing wasn't turned off, so you could just cut the page name off the end of the URL and see all the files on the web server.

We ended up browsing a folder containing an Access database, which we downloaded. It was the entire e-commerce customer/order database, replete with several thousand unencrypted credit card numbers.

Mark B
+79  A: 

"Pedo mellon a minno", "Speak friend and enter", on the gates of Moria.

Adriano Varoli Piazza
As if anyone who speaks Elvish can't be trusted!
Artelius by obscurity! +1
+3  A: 

The best error in the style of "web programming security 101" was a recruitment agency whose search page offered a "next page" link which was simply the SQL statement to fetch more job listings. You could easy change this URL to be any other SQL statement, including "drop table X". If you did that, their entire web site would die.

Paul M
+1  A: 

A company who sold computers had a website built with FrontPage with everyone having full access.

Jeff O
+2  A: 

A "secured" website where every pages were encrypted but the login page!

Nicolas Buduroi
huh? The sign in page does not need to be encrypted. As long as the page you post the password to is encrypted
That was what I implied, sorry for the confusion. I should have written: "A "secured" website where every pages were encrypted but the one to which the login page is posting (and the login page itself)!"
Nicolas Buduroi
I had even fire up Wireshark to double check what I was seeing in the code. Worst security ever, in all aspect of the website: authorization vs authentication, XSS and more. The only thing it was safe against was SQL injection due to heavy use of parametrized calls to stored procedures. In summary, an epic failure!
Nicolas Buduroi
+4  A: 

This happened on a very big website. My jaw dropped when I seen this.

There have been a few answers like this. Depressing!
+4  A: 

I hate to admit this .. but I found out how to hack VSS 2005 one day when I didn't have the admin password to a repository (the hate part is in having to use VSS :D )

If you create a local computer account with admin privileges that has the same name as the VSS account, and log on, VSS says:

 "Hey great .. you are logged on to the computer with an account name that 
  I recognize as being the same as one of my accounts,
  and your account has admin privileges on the computer .. 
  so I am going to bypass *my* security and give you admin 
  privileges to all of VSS!!!!"

That hack was about the first link I saw on google when trying to crack the VSS password

Of course it doesn't give you the VSS password that you are missing

Peter M
+2  A: 

The entire Classic ASP shopping cart "Comersus". The whole thing is a mess of spaghetti code and all the SQL statements are ripe for SQL injection since there Is no filtering done whatsoever. Sadly I had the misfortune of dealing with this "application" for almost two years and it was an absolute nightmare!

Wayne M
A quick Google shows the project is still alive, lets hope it's been cleaned up since then!
It hasn't; I've seen the newest version of the code and it's basically the same as the version I'm familiar with. Bad code, no security, no indentation or good variable names... honestly the entire project is a textbook example of hack programmers pretending to be decent. The company actually claims that what they're doing is the "recommended" way of doing ASP development (which I guess is true... and part of the reason why Classic ASP sucks so badly).
Wayne M
+5  A: 

At my old uni, they stored users passwords in plain-text in cookies.

This in itself is horrible, but to add insult to injury, they stored them in cookies for * Now of course, all the students and staff's pages are on something like


var_dump($_COOKIE); // oops.
Matthew Scharley
+1  A: 

Who can forget the classic Windows 98 security hole?

Copying password text *** and pasting it into a word processor would show you the password on just about anything.


Hitting the cancel button on Windows 98 login screen would give you access to the system anyway.

Duplicate of
Joe White
+11  A: 

1-800 dominos will give unlisted address's related to any target phone number. When prompted if you are calling about the phone number you called from select no. The system will prompt you for a new phone number, the system will then read back to you the name and address that's associated to this phone number. Enter in your target's phone number and you now have their name and address. This is pretty common with automated ordering systems and if dominos has fixed this there are literally hundreds more.

+2  A: 

There are many sites that use a proxy file to pipe images or other files through. Without checking the path for validity.




getfile.php?file=../index.php (in plain text with all the passwords)

It's amazing how many sites still have this flaw. Just google for getfile.php and you can have a field day breaking into boxes.

+11  A: 

Some friends were in a class together at university. They discovered the professor posted all the homework solutions, even for homeworks that were not due yet, had not been graded, or hadn't even been assigned. The professor just had links or solutions to them embedded in the class web page, and would comment them out in an HTML comment until the assignment had been collected and graded.

Sarah Vessels
What subject was this for? Not a computer-related one, I hope.
+4  A: 

In one forum I've got readonly access to hidden threads and administrative interface just by replacing my username in cookies by admin's one, not changing password.

Andrey Titov
+10  A: 

On a free web-host I tried, there was a logical error in the "Forgot Password" method for e-mailing you your password -- if you didn't enter an e-mail address (a secondary e-mail was optional), it e-mailed the password for the primary address for every single user who didn't provide a secondary e-mail.

I and hundreds of others one day received an e-mail with hundreds of usernames and passwords, with the passwords in plaintext.

LOL ... beautiful :-))
+4  A: 

Windows 95 had the option to require a password to unlock the screensaver. However, using ctrl+alt+del you could just kill the screensaver.

I think in Win9x it was the responsibility of the screensaver itself to tell windows that a screensaver is running. If a screensaver didn't call that function it could be killed from the taskman. On other hand any application could call that function and disable the taskman.
+2  A: 

XSS is what I love to find on a web site.

Here is a link to a log of my findings:


Only the specials:

Have fun browsing them!

+2  A: 

On a website I worked on, they used the username and password as combined primary key. The username was automatically your last name and not required to be unique.

Which leaves only one thing that could be unique...

Mike Robinson
+3  A: 

Well simply a

exec unchecked_parameter_from_the_web

in Python to parse an dictionary literal which was given by the user. That was really scary.

+4  A: 

Paraphrasing from memory here, but it's close...

<form action="secretpage.html" id="authentication"          
      onsubmit="return document.forms.authentication.password.value == 's3cr3t'">
    Enter password: <input type="password" name="password"><br>
    <input type="submit" name="Login" >

A guy I know used this to protect the "private area" of his web site. At first, he didn't want to believe me that even his browser had this wonky "view source" function.

ahhhh... the good ol' `s3cr3t` password. I'm sure he thought nobody used it before! :) Almost as good as `qweasd`
+5  A: 

Thinking about this, the worst security hole I've ever seen was when the guy who adminned the electronic door lock said "What do you mean, the lock doesn't know about public holidays"?

Yep, every Monday-FRiday that happened to be a public holiday since the door system had been installed saw the front door unlocked 08:00-17:30.


An application using faces and managedbeans. The bean used to edit the user already logged in was the same used by the self-register form, where two hidden fields were the only difference. Meaning? If you get someone's document number (equivalent to SSN in USA), you could actually change their password.

+2  A: 

I once had a job where there was a security layer written in Java code that checked if the user had access to edit a DB table column. This is what the function looked like:

public boolean canEdit(User user, DBColumn column) {
    if(true) {
        return true;
    } else {
        return false;
Kevin Crowell
At a guess, this was written as a stub, to be finished later, and then forgotten. Perhaps the developer asked what the access control should be and never got an answer.
David Thornley
@David Yes, most likely. Not the kind of thing you want to forget though.
Kevin Crowell
Ah, I see the security hole.. it should be just "return true".
Robert Fraser
What about those sneaky Boolean side-effects? Best to go with `return true ? true : false;`.
Jon Purdy
that wont helpyou need something like `return ((true==true ? true : false) != false ? false!=true : true==false)`

My old school had the student's passwords the same as their username, PLUS it was easy to get their usernames (a number, ex 123233), then you could hit add column and find out the first and last name of the students, as well as their usernames. So it was easy to put random garbage in their accounts and make them think there was a "ghost in the machine"

Matt S.
+3  A: 

A legacy app I ported a few years back used a 3rd party callback system for handling payments. Thing was, the callback script didn't check that the amount paid was equal to the price of the order, so it was possible to purchase any product on the site for £0.01 by using Firebug to edit the contents of the 'amount' field on the payment page.

+3  A: 

The worst security hole I've ever seen was build into an earlier version of MS SQL Server, version 7.0 or 2000, can't remember exactly.

When installing this version of SQL Server, the installer would by default give the "sa" account a blank password !!! (the sa account is the SQL Administrator account, it can do anything on the server)

This gave basically anyone access to an SQL server that wasn't protected by a firewall.

But it gets worse.

At that time, many SQL servers were installed to run the service under "local system" authentication, giving the SQL server process unlimited control over the system.

Since you can create COM objects in SQL server you suddenly had complete access over the computer where the SQL server was running.

Many a site has been hacked this way.

+7  A: 

Not a technical security hole, but a security hole nonetheless:

My banking card was recently eaten by an ATM and it took some weeks before I got it back. When it finally arrived at the bank, a woman from the bank called me to ask whether I wanted to pick up my card or have them send it to me via mail. She also told me that if they would send it they would disable it until I called them to confirm that it arrived safely at my home.

I got the card with a short letter with exact contact information including a note saying I needed to call to re-enable the card. I just called there, gave them my name and account number, BOTH OF WHICH WAS PRINTED ON THE CARD ITSELF and they re-enabled the card.

Basically, if anybody else had snatched that letter, they would have had the card and the number of the bank as well as all the information needed to convince the bank that it was actually me calling. So, not a very good security system there.

Anne Schuessler
So silly. All they have to do is require the card to be activated in person at a branch. That way they can perform a photo ID check and nefarious types would be less likely to attempt it knowing they will be recorded whilst doing so.
That would be a better idea if bank branches were open outside their usual interval of 11:45am to 12:15pm, Mon - Fri, and located on every block in every city.
Did you call from your home phone (or whatever phone number they have on file for you)? Some banks will use the caller id as one method of authentication. It is possible that they would have asked you more questions to verify your identity if you were calling from another number.
Most (I'm not going to claim all) banks only activate your card if you call from one of your contact numbers. Sometimes I felt a company had no need for my cellphone number, but I tried to use it to activate my card. I've gotten bumped to a human and asked my security questions on several occasions.What I really hate is my bank grooming me for phishing attacks by CONSTANTLY sending me email with hyperlinks in it. Bad bank, no cookie.
+2  A: 

Our phones at work.

You have to log in using your 4 digit ID, then push # and enter your 4 digit password followed by #. But if you don't enter any password and push #, it logs you in.

Failphone fails.

Ondrej Slinták
+9  A: 

I broke into by changing the domain of my ServerFault beta access cookie. (they've fixed it now)

Isaac Waller
nice (11 more to go)
Robert Fraser
+2  A: 

I worked on a site that used the username and password as the row ID in a database. This was compounded when the username was automatically and unchangeably your last name. The site had 900 Smith's, each with their own unique password...

Mike Robinson
+2  A: 

I was recently asked to code review a companies website, with an eye to my employer taking the website on as a maintenance project.

It didn't take me long to discover the plain text file sitting under the website root containing about 6,000 customers credit card details, including billing name and address and CVV code. It wasn't even imaginatively named!

That was the worst issue with that site, but it was also riddled with SQL injection problems as well.

We politely indicated these issues and the website owner bumped it back to the original developer for an explanation.

+7  A: 

Not the worst, but bad enough to cause some real damage. You would be surprised how often this is overlooked. Especially when people are using some of these popular frameworks,

Not making sure that the owner of the items is the one requesting the page. Meaning, you can log into your account and then edit or delete anyone's items in the whole application.

A simple check can prevent a lot of damage.

$item = // find your item by the $_GET[ 'id' ];

if( $_SESSION[ 'user_id' ] != $item[ 'user_id' ] ){
  // kick em out they dont belong...
David Morrow
Where I've a situation like this of late I've taken to stuffing a cookie with a UUID and co-checking that before doing anything to make sure it matches up with my database userid. Crude, but effective.
+45  A: 

I had Joe X's former home address, and needed to know his newer current address in the same city, but had no way to contact him. I figured he was receiving the usual daily pile of mail order catalogs, so I arbitrarily called the 800 number for See's Candies (as opposed to Victoria's Secret, or Swiss Colony, or any other big mailer):

Me: "Hi, I'm Joe X. I think you've got me on your mailing list twice, at both my old address and my new address. Does your computer show me at [old address] or at [fake address]?"

Operator: "No, we show you at [new address]."

joe snyder
Ah, gotta love social engineering. The human aspect of security is usually the weakest.
I sure do... I love it.
Andrei Rinea
+4  A: 

In the 1970's Stanford had IBM 2741 hardcopy terminals spread around campus networked to an IBM 360/67. Account passwords were three characters. During logon, the password prompt would overprint a three-position blob of about nine random uppercase characters, so the subsequently-typed password would supposedly be masked by the blob. However, everyone typed their passwords in lowercase, which were trivial to discern against the uppercase background blob. That meant you could usually walk up to any terminal, peruse the hardcopy typically left behind by the previous user, and easily logon with their account and password.

joe snyder
I took off the typeball when typing passwords.
Windows programmer
+2  A: 

I remember that the Common App website for applying to colleges had this "security" feature that announced it would log you off after a certain amount of time. But to that, they used an alert box which if you didn't actually respond to, would pause the countdown making your session indefinite.

+3  A: 

I once called a BBS that had a "Drop To DOS" option on the front page. It wasn't listed in the menu, but I accidentally found it when I made a typo.

Then I had remote access to the guy's DOS command-line.

+7  A: 

Not the worst but one that was a good laugh was the Android OS reboot bug. When users had the G1 phones they could type "reboot" from anywhere on the phone (ie: sms or emails) and the phone would reboot.


There was a place where the administrator set up all users home-directories' in a shared FAT32 folder.

  • Which meant that you could read, write, and remove other user's files.
+8  A: 
if( $session['role'] = "admin" ) //grant admin rights

Just one character off ("=" instead of "==" ) is all it takes to grant admin rights to anyone who is logged in. Your truly is guilty.

+1 for honesty. A unit test should have picked this up though.
A what? :) Ever tried unit testing in Drupal ... eurgh
I did not understood his one, what one character is `stef` talking about ?
$session['role'] = "admin" this sets the $session value to admin, it is not a comparison. It should have been $session['role'] == "admin". You need two == to do a comparison.
PHP itself is guilty here. Allowing variable assignments in if statements is obviously going to lead to tons of these kind of mistakes.
+2  A: 

I have seen top-managers of a high-end French defense contractor using Skype for very confidential talks (for the record, Skype uses the long-time-ago broken RC4 encryption algorithm).

I guess that their ignorance can be pardonned as on the top of that they also used Windows and MS-Word (for the record, MS-Word keeps an history of all the documents previously written with this template).

This raises some interesting questions regarding where the tax-payer money goes -and if it is wisely used.

+2  A: 

I once had the pleasure of attempting to secure a site (ASP Classic) which "required" a password to access the admin interface. Of course, if you just went to the address of one of the admin pages, you could do whatever you wanted, logged in or not.

And they wondered how they got hacked.

Ryan Kinal
+2  A: 

In a login for, there was an hidden field which let the "webmaster" choose the file to be included on success and failure.

Yep, /etc/password worked.

Or in a "log" directory, there was order-xxx.asc AND order-xxx.txt which contains card numbers including check number and validation date.

+8  A: 

It is not security hole, but security shame of one of corporations marketing their own products as high security (and that is one of theirs main feature)

It is about "secure login" on pages for there partners. And here it goes:

First time you got password in plain text by email and once you log in you of course do not read blah blah on first screen, you just run for what are you looking for (doc or software) and then log out.

But here is the trick, next time, you are trying log in your password does not work any more, because you should have new password they post each time on website under your personal profile. So after exchange of few emails they send me (over email) list of approx 30 enumerated one time passwords and I can use it only once each time . (this took me one week and couple of emails to renegotiate for this list)

So I printed this list of passwords, stick it on wall in front of my desk and I black out one password using pen each time I log in. I do not care for if anybody walking by my desk see this list.

That reminds me of passwords with attachments like "use 10-13 characters containing upper case, lower case, and numbers. Do not use ! or '. Must contain an @. Must not include any characters used in your user name...." I always hate those, and the password length limit always worries me cause it implies they aren't hashing it.
American Express up to recently used to limit the password to 8 characters. There was also some JavaScript that told you the password was invalid if you tried more than 8. It no longer does the JavaScript portion, but may still be limited. Probably not hashed, etc.
Chris Lively
+3  A: 

One security hole that makes me cringe is in a legacy application I was once maintaining there was a settings.ini file with the database credintials in plain text, and all user passwords are stored in the database in plain text.

Most other security holes I've seen were at my high school and college.

First off, I figured out I could shut down the internet for my school simply by doing a (very easy) ping flood attack. And not just my high schools internet though, the entire school system including part of the college. There was absolutely no rate limiting. They ended up fixing it after I demonstrated it. (as a side note, the "publicity" from that made me get hired at my first programming job)

The second, and one that had much more possibilities was this:

Ok, so every computer in the school was connected to a domain and such. So, when you logged onto a computer, it would copy down a generic user directory(including application data, etc folders) and then proceed with the login. Some people had their own logins other than the generic "student" account for one reason or another. Well, while I was browsing the public server where everything was shared on, I found a /users directory. Upon looking at it I discovered froma generic student account I had read-write to every users directory, including teachers, administrator, and the generic student account.

For April Fools I had planned to write a simple batch file or small program which popped up something like Class of 09 rocks! upon login of everyone just to demonstrate it, but I chickened out.. I also never told the administrator either, so the gaping security hole is still there probably.

Sounds just as insecure as things were 15 years before that (and probably well before).
Donal Fellows
Sounds almost as insecure as 99.9999999~% of LANs and intranets today.

How about publishing your ELMAH error log on the Internet?


I've heard about a programmer working at a bank, that - whysoever - calculated their internals (including account balances) with a precision of 16 positions after decimal point.

So this guy changed the bank transfer procedure to transfer 0.00001 dollars of each transaction to his own account, the rest to the original destination. I think they got him quite fast, but I have to admit that I found his idea quite good when I heard of it for the first time.

Oh I think I heard of that too once, in about 1999.
The salami scam. It's a famous one.
Office Space...
Superman III (1983).
+6  A: 

About 3 years ago I built a site for a somewhat large non-profit organization in our state. When it came time to deploy the application to their web host server, I noticed an odd file named "cc.txt" or something obvious like that in their public site. It was under their web root, was getting served, and was a csv file of all their donor's names, addresses, credit card numbers, expiration dates, and CVV/CVC codes. I cannot count the number of times I brought the issue up - first to my boss, then our company accountant, the client's IT director, finally the client's President. That was 3 years ago. The file is still being served, it can even be googled. And it's been updated. I tend not to respond to their donation solicitations when I get them.

They're not the only one. If you do a search for that file you'll find lots of sites that do the same thing.
Internet. Serious business.
How was CSV file publicly available, if its in webroot folder of application server than how will it be publicly accessible ?
the file had a .txt extension, and their web server was setup to serve it as text. All you had to do was enter the right url and you'd get the whole readable file in your browser.
+14  A: 

People posting their passwords on public websites...

Almost did that a few times.
Nice touch making the `...` a link as well :p
+7  A: 

My bank once detected a "suspicious transaction" on my debit card. They recommended I cancel it and get a new one.

While I was waiting for the new card, I needed to make a withdrawal. So I walked into the bank, gave the a woman my old card, and explained, "This card was recently canceled, but I need some money. Could you give some from this account?"

As I walked out of the bank, cash in pocket, I realized I had just taken money from an account using a canceled card without ever being asked to show any form of ID.

I once closed a bank account without showing my ID. I walked out of the bank with all the money that had been in the account.
done the same. I was honestly stuck but I needed money, walked into the bank and had no card no visual ID - They said "Name, Address, DOB" ... all of which are on my freelancing CV and website.
+2  A: 

I once took over development of a system that was in use by 200 clients around the country, and it had hard coded passwords. Yup, the code actually said:

if password = "a"

And last year I left an automotive ERP company whose hundreds of clients all have the same admin password on their servers. I'm guessing they didn't change them all after I left.


When I was in middle school or so, the county school system set up all their "security" software to keep the kids off parts of the Internet or from changing configuration settings and installing junk. Besides the fact that the software was pretty marginal (some shell modifications which could be bypassed with a clever right-click in a File > Save box) they set the teachers' password to teach.

Yeah, that was real secure.

+9  A: 

I once found a bug in a local Internet portal called ROL.RO (Romania OnLine - owned at that time by PCNET). They had a free webmail system. I wanted a certain (easy to guess which) username, but it was already taken.

By curiosity I went to the "forgot my password" page entering my desired (but taken) username. Then, upon submitting, I was presented with the security question which was blank.

Wow... let's see if they are lame. I made sure the answer textbox was empty, and I submitted


I entered a password and hijacked the account.

What probably happened in their ... PHP scripts was that they compared the null from the database (in the answer - of course they kept it in clear text) to the empty string submitted by me. Having them "equal" lead me to the next step, the reset of the password.

Yes, lame.

Andrei Rinea
+1  A: 

I once forgot to delete 'admin login page'. The page was just bypassing LDAP login and gaining all permissions. It could do anything with the client's bank account. I was so so so worried. Luckily no one knows the URL.

+3  A: 

When you lost your password and the recovery form ask for the username and your email. And does not verify the email and send in the password to the gived email.


It was on a local TV paid/subscription based website. It was easy to find username, somany peaple use first name. Today the tv channel has gone bankrupt(for other reasons, like lack of professionalism).

+1  A: 

The fact that you can often bypass security or intended functionality altogether on most unencrypted applications or files by just using a file/process hex editor. Sure it's great to give yourself infinite gold or god mode on most games - online or off, but it's also great to just grab or edit values as you wish, including passwords. In fact sometimes all you need is Notepad. Luckily Notepad isn't on the list of federally controlled computer applications under the DMCA... yet.

Edit: I'm referring to exploiting the "Emperor's New Clothes" scenario with recognizing security defects with only the most simple of tools. A scenario so common throughout the programming or consumer community across any language or platform that it might as well be a universal standard.

This has nothing to do with security though.
@Longpoke: For security, you have to read deeper than the application you're currently viewing or serving. Pushing off responsibility of security to the underlying platform is no excuse to the user either. Expecting security by obscuring your every action, yet publicity displaying every move you make, is what I'm talking about. Even serving a client's website without yourself filtering for known vulnerabilities is what I'm talking about. "Emperor's New Clothes":, or something.
+2  A: 

A while ago there was a security hole in windows in the JPG image loading library. Infected by the image in e-mail. ack

How can an image infect a code library?
The image file was crafted in such a way that it caused a buffer overflow in the library and let the attacked run unauthorized code
Chris T

A friend of mine did his login via GET. Needless to say he learned the lesson the hard way.

Glenn Nelson
You mean he did not use HTTPS (SSL)?
How is login via post "more secure" than get? They're nearly identical on the HTTP level.
You know what XSS is?
Glenn Nelson
+1  A: 

Testing some bank teller software, I called the tech desk to arrange a dialup IP session. 'Which system do you want to connect to, production or test?'

True story.

Does that person still have a job, or have they gone, erm, "independent"?
Adam Liss

I've had at least 1 previous co-worker who probably qualified as that.

Your co-worker qualified as the worst security hole you've ever seen?
Mike Daniels
lol, yes. somewhat of a joke, but happy to say that he's no longer my co-worker. none of us trusted him to do anything properly though or with much if any thought, and he didn't last long.
+2  A: 

UNIX textual login screens are SO EASY to reproduce... :)

Diego Sevilla
I fell prey to this as an undergraduate. But the hacker didn't know that we _also_ had real-time textual maps of the computer lab: essentially grids that showed the position of each terminal and the ID of its current user. Catching the hacker was a simple matter of having a friend dial in and show the map, finding someone I knew in the lab, and asking him who was logged in as me, sitting 3 chairs to his left. (I suppose Cliff Stoll would call it "The Dodo's Egg.") :-)
Adam Liss
+6  A: 

There's a bank that offer some services via its web site. The developers considered any one who had logged in as a valid user for the entire system, and they use URLs to identify the account number, so simply just changing the ID on the URL and you can view other accounts' balances.

It's really very bad for a web developer who think authentication and authorization are the same thing.

Also it's good that the bank doesn't transfer money via its website, otherwise some people will be rich ;-)

Mohammed Nasman
What country is this bank in?
Sorry, I can't give more details, this bank is the biggest one on that country, so I can't give any more info ;-)
Mohammed Nasman
+1 for responsible disclosure. Give them time to fix the security hole, if they don't fix it then provide full disclosure so that they are forced to fix it :)
+16  A: 

One of the simplest, yet really cost worthy is:

Payment systems that use engines such as PayPal can be flawed because the response back from PayPal after payment was successful is not checked as it should be.

For example:

I can go on to some CD purchase website and add some content to the cart, then during the checkout stages there's usually a form on the page that has been populated with fields for paypal, and a submit button to "Pay"..

Using a DOM Editor I can go into the form "live" and change the value from £899.00 to £0.01 and then click submit...

When I'm on the PayPal side of things I can see that the amount is 1 penny, so I pay that and PayPal redirects some parameters to the initial purchase site, who only validates parameters such as payment_status=1, etc., etc. and do not validate the amount paid.

This can be costly if they do not have sufficient logging in place or products are automatically dispatched.

The worst kind of sites are sites who deliver applications, software, music, etc.

+1 Agreed. In the hosted payment page situation the originating website should not allow the user to drive values to be posted; instead the page should post back to itself upon user click and then the server formulate and send a post op to the payment "gateway" directly with appropriate values. It all depends on what the gateway expects and how interactions can be made with it, but I cannot see any gateway worth its salt not having a more secure scenario than what you described. Maybe I'm wrong though.
John K
+3  A: 

The biggest security hole I've seen recently recently is the lock screen bug in iOS 4 (iPhone), granting anybody instant access to any iPhone (make calls, address books, call logs, photos).


The worst security hole I've seen was from a (very very bad) hosting company. And even worse it was just some months ago (summer 2010)! You had to first connect to your hosting package control panel (you needed valid credentials). Once logged in all you had to change was the id GET token from the URL and voilà, you're in the control panel of another user! You have access (save/edit/delete) to emails, files, databases. The ids were sequential so you only have to do +1 and you're in the next account. I hope someone have been fired for this!

It was one of the many WTF I've experienced with them! Fortunately I wasn't one of their customers!

+2  A: 

You know how you read all the time about how a large corporation has had their customer's personal identification stolen? (And in fact it's happened to me twice that I know of - once from my health insurance company, once from my life insurance company)This is often from stealing the database backup tapes which are unencrypted and reading the unecrypted personal information stored therein.

+3  A: 

Because the username and the password are the same, and it was happening for the production website not for a testing version. alt text

Elzo Valugi
The production website is phpMyAdmin? or is it because the password are stored in clear text?
Pierre-Alain Vigeant
because the username and the password are the same. and it was happening for the production website not for a testing version.
Elzo Valugi
@Elzo Valugi: can you add this information to the answer?
Peter Mortensen
+1  A: 

I have seen a lot of customer projects which were sent to support and which contained IP addresses, user names and passwords to live SQL Servers databases.

DevExpress Team
+4  A: 

The company I work for has so many security mistakes... Here are some of the worse:

  • All ex-employees still have active accounts for everything, even ones who got fired or left on bad terms
  • Every site we ever developed (200+) has the same admin username and password that all employees who every worked here would know

Epic fail.

Rogue Coder
+2  A: 

My friend once made a forum script in PHP. Passwords were kept as a plain text file named pass.txt. Of course that file was accessible for everyone.


Not controlling logical operator (OR) in Password data entry element. By using it, every one can easily pass the other where conditions. For, the select query will be like this one:

select *
from TheTable
where [email protected] And [email protected] OR 1=1
This seems like a 'normal' SQL injection attack...though, the query looks like a parameterised I don't get it.

Visited the contact page of a pretty well known online store and scrolled down, searching for a phone number. Instead I found an upload form which accepted all file types and actually put the uploaded files in the root folder of the website, meaning that if one uploaded a file called test.php, it would be callable by the url :)

Since they used osCommerce (open source), putting together a script that would fetch out all database conection details and then download their complete customer data table would be a less then a five-minute job for anyone that had enough IQ to google things.

I contacted them and ended up with a discount coupon for my next purchase, and they removed the upload form within minutes.

+4  A: 

So scary I told all my friends to cancel accounts!

I worked on a popular casino site. The flash front end is not just a mear dumb terminal. They had a visual bug of which incorrectly managed avatar images. During the time me and my buddy we fixing this - we fell upon a completely separate flaw.

We watched the traffic from client to server and discovered it was base64 encoded. Thinking it would help, built a simple python terminal script of which would tap into it. We found out the client would send commands and logic information to the server.

Within minutes I had the ability to simply type in the amount of chips I had, who won and what hand I had, simply by writing it in plain text!

Another major flaw - User passwords were encrypted, admin passwords were not using the same hole as before, I gained access to database info, found admin logins and took over the system.

+3  A: 

I'd been informed that the our switchboard department's bleep system had a web front-end that could be used to send messages though it was ugly and not very user friendly so I wanted to have a look and see if we could use a form on our main intranet site and submit the values via our server to theirs.

There was a simple username/password form to access the system with User and Admin roles so I took a look to see how I'd impliment handling the security. I discovered the two following cookies being stored:

Username: [username I had used]
Admin: False

Just to make sure it was as bad as I thought I opened up Firefox, gave it the url, created 2 cookies, my username and Admin: True and lo and behold I had Admin access. Just to check it out I created a new user without any problems. To make matters worse having the username locally meant that the log would show my actions to be by any one I wanted to give it.

Security through obscurity doesn't work but it works far less when you give people everything they need on a silver platter.

+2  A: 

There is a cloud-rendering library licensed for $2500 with limited work time (like one minute) until registered. And evaluation demo that worked indefinitely. Searching exe contents for a word "demo" revealed "[Product name] Demo" and hex symbols string nearby. Yes, that was login and password.