Skip to main content

Well Meaning Hackers

Published: February 13, 2014

Once upon a time there was a programmer named Joe. He made a website with two main areas:

Customer Pages: www.mysite.com/myThing.php?id=3
Admin Pages   : www.mysite.com/admin/?CustomerId=Acme

He even wrote code to make sure that the logged in customer really owned the data behind id=3. Good job Joe!

The admin page didn't need any checks because only sales people inside the company would have links to it. Joe considered this design secure because no one could possibly guess the secret admin page url. Even if the url was guessed, no one would guess that there was a CustomerId parameter. Even less likely he thought was the possibility that someone could guess that Acme was a valid parameter.

Everything was great. Until. The day of implementation. Joe received a call from his boss. Acme Corp (a customer) was seeing data that was meant only for AB Widgets (another customer). Even worse, AB Widgets seemed to have administrative access!

Oops!

What happened? Jill in sales helped out Acme Corp who was having trouble with their link to the new website. Jill helpfully sent Acme Corp her link to the website. Her bookmark happened to be:

www.mysite.com/admin/?CustomerId=ABWidget

An innocent mistake, made by a non-technical user.

Epilogue

I've seen this scenario more than once. I hate to admit it, but the first time, I was Joe. The code I didn't write caused a security issue. In other instances, I've had to deal with similar problems caused by others. Most bugs are caused by things software engineers didn't know and/or didn't write code to handle. Our job is all about taking care of the edge cases - even the ones that seem unlikely. Please, don't be Joe!