Sometimes, you’ll need a catchy example why “security by obscurity” is such a bad idea. Here’s one: “Starring The Admin.”
The gist is that a developer of an application was too lazy to implement proper user roles. So the solution was “if the login has ‘**’ in it, I’ll grant admin rights”. That’s it. Anyone can get admin rights just by appending “**” to their login (the app will remove the “**” from the login before checking the it so no changes to the user database are necessary).
This entry was posted on Tuesday, November 24th, 2009 at 19:13 and is filed under Comment. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Dark Views
Another example for “security” by obscurity
Sometimes, you’ll need a catchy example why “security by obscurity” is such a bad idea. Here’s one: “Starring The Admin.”
The gist is that a developer of an application was too lazy to implement proper user roles. So the solution was “if the login has ‘**’ in it, I’ll grant admin rights”. That’s it. Anyone can get admin rights just by appending “**” to their login (the app will remove the “**” from the login before checking the it so no changes to the user database are necessary).
Cool, eh? And so simple!
Rate this:
Share this:
Like this:
Related
This entry was posted on Tuesday, November 24th, 2009 at 19:13 and is filed under Comment. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.