Was it a cringe-worthy password on a post-it note, a poorly secured database, or a misconfigured server? 😢 What are some of the biggest security mistakes you've seen in your career? And don't forget to share your tips on how to avoid these mistakes!
Join the conversation and follow the DEV Team for more thought-provoking discussions!
Image by pch.vector on Freepik.
Top comments (14)
Direct usage of
eval
used on end user input to perform basic math, from within nodejs.Not only did this mean allowing users to perform "remote code execution", but to even get
eval
required bypassing codebase checks.The worst part was this was being performed by a "senior" developer and part of an app that would rely heavily on end user input. They got demoted from the project soon after and we removed the offending code.
A production, internet facing database, with credentials "admin" 12345 🥲
The very recent oopsie whoopsie by Google has got to be one of the very worst ever:
Source: twitter.com/mysk_co/status/1651021...
Google has since announced that they have plans to offer proper encryption "down the line" 🤠
Source: twitter.com/christiaanbrand/status...
Wow, welp, I was interested in using this feature but if it's not encrypted on-device with my own keys, then no thanks, I'll just continue keeping a pile of recovery codes in my safe deposit box.
Once worked on a CMS project. Some content are sensitive so there was a requirement to perform IP checking to make sure users can only access those sensitive content inside the office.
A senior guy implemented this requirement in this way: When the user's IP is not inside the office, add a
display: none
css style to the content.This is scary and funny.
Order tracking website where the user account was a URL parameter with no password/token. You could see order details for any and all of their customers including delivery address and what was in the order.
And a lot more, if I have to say I can keep on saying as I have read and seen a lot
I once was fixing PHP site where there was a login page but other php pages did not check if user was logged, and "hidden" pages were trivial to guess. The site was created by some high schooler and other not related high schoolers (probbaly) was messing with the site without the admin password or a need to login. The owner said that the images that he upload was disappearing, it was funny actally to see why by looking at the code.
An sso protected web site where you could bypass the sso by adding 'username=any user' in the url
Not actually software development, but back in the last millennium I was once inducted into a company IT team where the network administration password was a four letter dictionary word.
VBA code running a direct SQL query using the sa user account (and unencrypted password)for the connection.