Free Republic
Browse · Search
General/Chat
Topics · Post Article

To: LibWhacker

No Good Deed.


3 posted on 10/18/2011 6:28:38 PM PDT by YHAOS (you betcha!)
[ Post Reply | Private Reply | To 1 | View Replies ]


To: YHAOS
I experienced this type of security flaw on a web site that I have secure access to. I was allowed privileges to view a chart of confidential information for a couple of particular clients. After viewing one chart, I merely took the short cut and modified the url with the other client number.

However I 'fat-fingered-it' (mistyped it) and got a client for whom I should not be authorized to see.

To make matters worse, I merely copied the url for the site I should not have visited, then went into a different browser and was able to go directly to the confidential data.

I reported my access to the one person who could pass it up the line, and quickly learned that the top management would 'shoot the messenger' of anyone providing proof of their incompetence.

Apparently the director of Information Systems for this outfit just got a big raise, was spending a lot of money on changing the system, but really did not know what he was doing.

At the point, I decided to just keep my mouth shut. The little 'change the number on the url' trick works at a lot of webpages. It is not hacking, it is just being able to post the exact web address that the server is waiting to take care of.

4 posted on 10/20/2011 3:49:28 PM PDT by Dustoff45 (A good woman brings out the best in a good man! A better woman might be just what this nation needs)
[ Post Reply | Private Reply | To 3 | View Replies ]

Free Republic
Browse · Search
General/Chat
Topics · Post Article


FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson