Read on Twitter
one time i was working on a webapp auth system for a multi-million-dollar client in a highly-regulated industry
i made a Dumb Mistake which allowed ppl to log in to the system by entering a valid username and just leaving the password field blank
it was in production for weeks
i made a Dumb Mistake which allowed ppl to log in to the system by entering a valid username and just leaving the password field blank
it was in production for weeks
protip, suppose you& #39;re integrating with Active Directory or other LDAP system and you& #39;re doing bind operations with user-supplied user/pass strings
a bind attempt will succeed if the password is correct, but it will also succeed if the password is blank
a bind attempt will succeed if the password is correct, but it will also succeed if the password is blank
i had to inform the client about this fuckup
i took it to the client& #39;s local vp of ops. i explained that people could sign in on the public internet with a valid username but no password; we& #39;d basically left the front door unlocked and their data was exposed for weeks
i took it to the client& #39;s local vp of ops. i explained that people could sign in on the public internet with a valid username but no password; we& #39;d basically left the front door unlocked and their data was exposed for weeks
there were some applicable federal regulations
i read them to mean "if you think maybe bad shit happened, you must inform the federal government"
this was back when i had a childlike faith in regulations and a holy terror of statutory maximum fines, so--
i read them to mean "if you think maybe bad shit happened, you must inform the federal government"
this was back when i had a childlike faith in regulations and a holy terror of statutory maximum fines, so--
i figured this vp of ops was going to call in the compliance team and it would be a Whole Thing and maybe we& #39;d even report to the gov& #39;t
instead, he was quiet for a second
he asked me if our logs specifically showed anything that looked likely bad
i answered truthfully, "no"
instead, he was quiet for a second
he asked me if our logs specifically showed anything that looked likely bad
i answered truthfully, "no"
so he said "write me a letter. say that to the best of your knowledge, nothing bad happened. and if it did happen, it was your fault. ill put it in my drawer and we& #39;ll leave it at that unless the issue comes up again"
i wrote the letter. he put it in his desk. it never came up again. and i was enlightened.
