Security Audit? Who needs one of those?

Here’s an interesting screenshot I just took on a website:

sapassword

If you’re into development in any shape or form, you’ll see a number of security issues Three has with their website, including but not limited to:

  1. Password stored in plain text in a connection string
  2. Trivial password that could be cracked without thinking too hard
  3. And of course: not trapping errors so the whole world gets to see them.

I’ve omitted the name of the website, to protect the guilty, but there wasn’t much point, based on what the error was returning. There’s a lot that a potential hacker could learn from that lapse, and it essentially highlights the need of having a security professional involved in your development and release processes. These are basic errors that can be prevented, so why risk you site .. and your reputation!

3 comments

  1. That’s ALARMING! Especially on a day when T-mobile admits to its customer data getting sold. That’s pretty much enough for the BBC to go and accuse (I assume) two other phone companies of negligence in one screen shot.

    Never mind – I hear we will all have to store EVERYTHING by 2017, love and kisses from the EU. Id major companies can;’t keep stuff secret, what hope does a mom and pop operation have? That, coupled with the need for Estate Agents to photocopy my passport just to look at a house and I’m not feeling that “authority” is working in our interests really, are you 🙂

    Good find.

  2. I’m quite surprised that such a big company has left themselves so exposed in this way. It’s not as if in the SQL Server & .net world it’s hard to sort out that kind of security 😉

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.