dev.to staff for The DEV Team

Posted on Apr 29, 2023 with Erin A Olinick

What Are Some of the Worst Security Practices You’ve Ever Seen in Software Development?

#discuss

Was it a cringe-worthy password on a post-it note, a poorly secured database, or a misconfigured server? 😢 What are some of the biggest security mistakes you've seen in your career? And don't forget to share your tips on how to avoid these mistakes!

Join the conversation and follow the DEV Team for more thought-provoking discussions!

The DEV Team

The team behind this very platform. 😄

Image by pch.vector on Freepik.

Oldest comments (14)

Kostas Kalafatis • Apr 29 '23

A production, internet facing database, with credentials "admin" 12345 🥲

Dhanush N • Apr 29 '23

Making the security of database accessible to all the services instead of only the services needing database access.
Making the website vulnerable to clickjacking , and cross forgery attack etc

And a lot more, if I have to say I can keep on saying as I have read and seen a lot

Brad • Apr 29 '23

Direct usage of eval used on end user input to perform basic math, from within nodejs.

Not only did this mean allowing users to perform "remote code execution", but to even get eval required bypassing codebase checks.

The worst part was this was being performed by a "senior" developer and part of an app that would rely heavily on end user input. They got demoted from the project soon after and we removed the offending code.

cloutierjo • Apr 29 '23 • Edited

An sso protected web site where you could bypass the sso by adding 'username=any user' in the url

Aaron Reese • Apr 29 '23

VBA code running a direct SQL query using the sa user account (and unencrypted password)for the connection.

Aaron Reese • Apr 29 '23

Order tracking website where the user account was a URL parameter with no password/token. You could see order details for any and all of their customers including delivery address and what was in the order.

Peter Franken • Apr 29 '23

The very recent oopsie whoopsie by Google has got to be one of the very worst ever:

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
[...]
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Source: twitter.com/mysk_co/status/1651021...

Google has since announced that they have plans to offer proper encryption "down the line" 🤠

Source: twitter.com/christiaanbrand/status...

Randall • May 3 '23

Wow, welp, I was interested in using this feature but if it's not encrypted on-device with my own keys, then no thanks, I'll just continue keeping a pile of recovery codes in my safe deposit box.

Gary Lee • May 2 '23 • Edited

Once worked on a CMS project. Some content are sensitive so there was a requirement to perform IP checking to make sure users can only access those sensitive content inside the office.
A senior guy implemented this requirement in this way: When the user's IP is not inside the office, add a display: none css style to the content.

Richard Holguín • Oct 24 '23

This is scary and funny.

Shahab Dogar • May 3 '23

I've seen database credentials passed into clients as variables with the actual secret values in comments next to them.

YaakovN • May 3 '23

Access control on client side, not server side, in in-house application. Could be bypassed by loading binary and calling client proxy functions directly.

View full discussion (14 comments)

The DEV Team Follow

The DEV Team