Read on Twitter
one time i was working on a webapp auth system for a multi-million-dollar client in a highly-regulated industry
i made a Dumb Mistake which allowed ppl to log in to the system by entering a valid username and just leaving the password field blank
it was in production for weeks
i made a Dumb Mistake which allowed ppl to log in to the system by entering a valid username and just leaving the password field blank
it was in production for weeks
protip, suppose you're integrating with Active Directory or other LDAP system and you're doing bind operations with user-supplied user/pass strings
a bind attempt will succeed if the password is correct, but it will also succeed if the password is blank
a bind attempt will succeed if the password is correct, but it will also succeed if the password is blank
i had to inform the client about this fuckup
i took it to the client's local vp of ops. i explained that people could sign in on the public internet with a valid username but no password; we'd basically left the front door unlocked and their data was exposed for weeks
i took it to the client's local vp of ops. i explained that people could sign in on the public internet with a valid username but no password; we'd basically left the front door unlocked and their data was exposed for weeks
there were some applicable federal regulations
i read them to mean "if you think maybe bad shit happened, you must inform the federal government"
this was back when i had a childlike faith in regulations and a holy terror of statutory maximum fines, so--
i read them to mean "if you think maybe bad shit happened, you must inform the federal government"
this was back when i had a childlike faith in regulations and a holy terror of statutory maximum fines, so--
i figured this vp of ops was going to call in the compliance team and it would be a Whole Thing and maybe we'd even report to the gov't
instead, he was quiet for a second
he asked me if our logs specifically showed anything that looked likely bad
i answered truthfully, "no"
instead, he was quiet for a second
he asked me if our logs specifically showed anything that looked likely bad
i answered truthfully, "no"
so he said "write me a letter. say that to the best of your knowledge, nothing bad happened. and if it did happen, it was your fault. ill put it in my drawer and we'll leave it at that unless the issue comes up again"
i wrote the letter. he put it in his desk. it never came up again. and i was enlightened.
