What Are Some of the Worst Security Practices You’ve Ever Seen in Software Development?

Direct usage of eval used on end user input to perform basic math, from within nodejs.

Not only did this mean allowing users to perform "remote code execution", but to even get eval required bypassing codebase checks.

The worst part was this was being performed by a "senior" developer and part of an app that would rely heavily on end user input. They got demoted from the project soon after and we removed the offending code.

A production, internet facing database, with credentials "admin" 12345 🥲

The very recent oopsie whoopsie by Google has got to be one of the very worst ever:

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
[...]
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Source: twitter.com/mysk_co/status/1651021...

Google has since announced that they have plans to offer proper encryption "down the line" 🤠

Source: twitter.com/christiaanbrand/status...

Once worked on a CMS project. Some content are sensitive so there was a requirement to perform IP checking to make sure users can only access those sensitive content inside the office.
A senior guy implemented this requirement in this way: When the user's IP is not inside the office, add a display: none css style to the content.

Order tracking website where the user account was a URL parameter with no password/token. You could see order details for any and all of their customers including delivery address and what was in the order.

• Making the security of database accessible to all the services instead of only the services needing database access.
• Making the website vulnerable to clickjacking , and cross forgery attack etc

And a lot more, if I have to say I can keep on saying as I have read and seen a lot

I once was fixing PHP site where there was a login page but other php pages did not check if user was logged, and "hidden" pages were trivial to guess. The site was created by some high schooler and other not related high schoolers (probbaly) was messing with the site without the admin password or a need to login. The owner said that the images that he upload was disappearing, it was funny actally to see why by looking at the code.

An sso protected web site where you could bypass the sso by adding 'username=any user' in the url

Not actually software development, but back in the last millennium I was once inducted into a company IT team where the network administration password was a four letter dictionary word.

VBA code running a direct SQL query using the sa user account (and unencrypted password)for the connection.

I've seen database credentials passed into clients as variables with the actual secret values in comments next to them.

Access control on client side, not server side, in in-house application. Could be bypassed by loading binary and calling client proxy functions directly.