Here’s an interesting screenshot I just took on a website:
If you’re into development in any shape or form, you’ll see a number of security issues Three has with their website, including but not limited to:
- Password stored in plain text in a connection string
- Trivial password that could be cracked without thinking too hard
- And of course: not trapping errors so the whole world gets to see them.
I’ve omitted the name of the website, to protect the guilty, but there wasn’t much point, based on what the error was returning. There’s a lot that a potential hacker could learn from that lapse, and it essentially highlights the need of having a security professional involved in your development and release processes. These are basic errors that can be prevented, so why risk you site .. and your reputation!