one time i was working on a webapp auth system for a multi-million-dollar client in a highly-regulated industry

i made a Dumb Mistake which allowed ppl to log in to the system by entering a valid username and just leaving the password field blank

it was in production for weeks
protip, suppose you& #39;re integrating with Active Directory or other LDAP system and you& #39;re doing bind operations with user-supplied user/pass strings

a bind attempt will succeed if the password is correct, but it will also succeed if the password is blank
i had to inform the client about this fuckup

i took it to the client& #39;s local vp of ops. i explained that people could sign in on the public internet with a valid username but no password; we& #39;d basically left the front door unlocked and their data was exposed for weeks
there were some applicable federal regulations

i read them to mean "if you think maybe bad shit happened, you must inform the federal government"

this was back when i had a childlike faith in regulations and a holy terror of statutory maximum fines, so--
i figured this vp of ops was going to call in the compliance team and it would be a Whole Thing and maybe we& #39;d even report to the gov& #39;t

instead, he was quiet for a second

he asked me if our logs specifically showed anything that looked likely bad

i answered truthfully, "no"
so he said "write me a letter. say that to the best of your knowledge, nothing bad happened. and if it did happen, it was your fault. ill put it in my drawer and we& #39;ll leave it at that unless the issue comes up again"
i wrote the letter. he put it in his desk. it never came up again. and i was enlightened.
You can follow @ThatsMauvelous.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: