• Bill (unregistered)

    Genious! Brillant, even!

  • WeatherGod (cs)

    Well, it is always good to know what is definitely secure, right?

  • R. Tyler Ballance (unregistered)

    BRILIANT!

    Why does it seem so many WTFs are caused by someone being "too clever" and using javascript to process information instead of...the server-side scripting language they are 'pretending' to use?

  • anon (unregistered)

    Re. AccountID - I worry about secure sessions too sometimes, since they don't really seem all that secure.  Have most people switched over to using GUIDs instead of AccountIDs?  That is what I'm considering.

  • Benjamin Graham (unregistered)

    Could we get the name of the brokerage? I'd like to open an account. For about 15 minutes.

  • R.Flowers (cs)
    What's interesting is that it could have worked just as easily being called CalculateFees.html -- the page didn't utilize a line of server-side code...


    They probably used an HTML-to-JSP converter.

    It seems you can find real security at the web sites of Linux user groups, but not at banks and brokerage houses. Wow!
  • Rich (unregistered) in reply to R. Tyler Ballance

    Why does it seem so many WTFs are caused by someone being "too clever" and using javascript to process information instead of...the server-side scripting language they are 'pretending' to use?

    What are you talking about not server side, it has client side JSP sent to be server side JSP!!!  Brillant!!

  • Jojosh_the_Pi (cs)

    What is this, security by this-is-so-unexpected-no-one-will-look-here?  Right, and let's trick Al-Qaeda by donating them money...they'll be so bewildered, they won't know what to do with it!

  • WeatherGod (cs) in reply to R.Flowers
    R.Flowers:
    What's interesting is that it could have worked just as easily being called CalculateFees.html -- the page didn't utilize a line of server-side code...


    They probably used an HTML-to-JSP converter.

    It seems you can find real security at the web sites of Linux user groups, but not at banks and brokerage houses. Wow!


    Kinda funny considering that LUGS advocate openness while banks advocate closed-ness.  (still wondering why my bank closes at 1:00 on Saturdays...)
  • Xargon (cs) in reply to R. Tyler Ballance
    Anonymous:
    BRILIANT!

    Been here long? :-)
  • BiggBru (cs)
    Alex Papadimoulis:

    TransferFunds.jsp - This page would initiate an ACH transfer between the brokerage company and the users stored bank account numbers. Only certain users were authorized for this page, but a sophisticated hacker might be able to figure out that setting the "canUseACH" cookie token from "N" to "Y" might do the trick.

    <FONT face=Georgia>C'mon, Alex, what are you expecting here? We all know those sophisticated hackers are always 3 steps ahead of the security game.</FONT>

    <FONT face=Georgia>The developers were probably going for "Security by Stupidity", hoping that no self-respecting hacker would try something so simple. It's like taking candy from a retarded baby monkey.</FONT>

    >BiggBru

  • GoatCheez (cs)

    Man, this definitely made my day. lol.... all I can say is roflmao.... Brillant!

  • ParkinT (cs)

    ...it's possible that a sophisticated hacker may be able to figure it out.

    But the press tells us that all hackers are 12 year old children who failed out of school, so probably cannot read!

  • dazed (unregistered)

    After the discussions of the last two days, a WTF which is proof against anyone arguing that it's not a WTF. Quite stomach-churning.

  • mrsticks1982 (cs) in reply to ParkinT
    ParkinT:

    ...it's possible that a sophisticated hacker may be able to figure it out.

    But the press tells us that all hackers are 12 year old children who failed out of school, so probably cannot read!

     

    hence, this program!!

  • Whiskey Tango Foxtrot? Over. (cs) in reply to Xargon

    Xargon:
    Anonymous:
    BRILIANT!

    Been here long? :-)

    Apparently not long enough. [:D]

  • Jojosh_the_Pi (cs) in reply to dazed

    Someone's going to be up to the challenge of "demonstrating" why this is not a WTF.  (Right?  Anyone?) 

    Not to mention there's probably about even odds that someone will end up defending this for real.

  • ParkinT (cs) in reply to Whiskey Tango Foxtrot? Over.

    BRILIANT!

    Been here long? :-)

    Apparently not long enough. [:D]

    Hello. Paula?

  • kipthegreat (cs) in reply to Jojosh_the_Pi
    Jojosh_the_Pi:
    Someone's going to be up to the challenge of "demonstrating" why this is not a WTF.  (Right?  Anyone?) 

    Not to mention there's probably about even odds that someone will end up defending this for real.


    Clearly the whole system is a cleverly designed honeypot, secretly operated by an elite group of NSA super-hackers.  I bet they are catching scammers left and right with this thing.
  • DaveE1 (cs)

    I really need to get into the habit of reading the source of a web page.  I just can imagine all the wtf goodness I could find...

  • Bus Raker (cs) in reply to dazed

    Anonymous:
    After the discussions of the last two days, a WTF which is proof against anyone arguing that it's not a WTF. Quite stomach-churning.

    This isn't a WTF.  The security assessment company was surely being tested by this firm to see if they knew what they were doing.

  • Maximilianop (cs) in reply to Rich

    I just want to be left alone with the person responsable for letting browser side script comunicate with server side script... just 1 freaking minute... I swear he will make an "I´m so sorry" statement on every blog.



    Really, why is it companies keep hiring 2 bucks per day programmers to handle costumer data.... THAT is a WTF itself... The rest is WTF by inheritance.

  • Maximilianop (cs) in reply to Maximilianop

    I meant 2bucks per day programmers to program modules wich handles costumer data, for those no BRILIANT! enough to understand :P



    [Alex, there´s too little time for enabling the edit button]

  • codeman (cs)

    I'd comment on the lack of security, but didn't one (more?) of the major banks/brokerages recently lose a tape with something like 30mm account numbers, ss#'s and passwords on it because they shipped it via UPS/FedEx/whomever and it just happened to be misplaced?

    Let's face it, even if the code was the purest of pure-bred well designed and thoroughly thought out systems, there are still common-sense WTF's all around us in life.

    It is to laugh...

  • tdog (unregistered)

    sooooooooo......  get to the part about what happened when the security company told the client they had no security.

    tdog

  • Kodi (cs) in reply to Maximilianop

    Maximilianop:
    Really, why is it companies keep hiring 2 bucks per day programmers to handle costumer data.... THAT is a WTF itself... The rest is WTF by inheritance.

    costumer --> Misspelling perhaps not !

  • TomCo (cs)

    <FONT face="Courier New">WHERE R THE TESTERS! [;)]</FONT>

    Dear Developers:

    "Invalid AcctId." is too cryptic.  I'm typing in "Mama goes Bats" in this field and getting this message.  Please format a better message along the lines "My mama is not 'bats'.  Please focus on supplying the requested account ID."  Also, this application should be able to display errors in multiple languages.

    <FONT face="Courier New" color=#ff0000 size=6>nihonAlert('BAKKA YA RO!!!!');</FONT>

     

  • JR (unregistered) in reply to codeman
    codeman:
    I'd comment on the lack of security, but didn't one (more?) of the major banks/brokerages recently lose a tape with something like 30mm account numbers, ss#'s and passwords on it because they shipped it via UPS/FedEx/whomever and it just happened to be misplaced?

    IronMountain has been losing tapes lately.  Too bad many companies don't check the box labeled "encrypt".

  • Dustman (unregistered) in reply to ParkinT
    ParkinT:

    ...it's possible that a sophisticated hacker may be able to figure it out.

    But the press tells us that all hackers are 12 year old children who failed out of school, so probably cannot read!



    On the other hand, given the Lowest Common Denominator (tm) method of education used at most schools these days, the ones who can read probably _are_ the ones who are being flunked out.

    CAPTCHA = SPEAKER. How appropos.
  • ParkinT (cs) in reply to Dustman
    Anonymous:
    ParkinT:

    ...it's possible that a sophisticated hacker may be able to figure it out.

    But the press tells us that all hackers are 12 year old children who failed out of school, so probably cannot read!



    On the other hand, given the Lowest Common Denominator (tm) method of education used at most schools these days, the ones who can read probably _are_ the ones who are being flunked out.

    CAPTCHA = SPEAKER. How appropos.

    That is, actually, quite profound.

       Perhaps too much so for this forum [;)]

  • kbiel (unregistered) in reply to JR
    IronMountain has been losing tapes lately. Too bad many companies don't check the box labeled "encrypt".

    But encrypting the backups takes too long. Then again, sending the backups to anything but /dev/null takes too long.

  • smbell (cs)

    OMG I know that brokerage firm.  Shortly after this happened they reorganized the company and got into the forum software business.

    I think they called themselves something like 'Smart Systems' and make a product called 'Community Served'.  I'm having a hard time remembering the exact names, but something like that.

    ;)

  • SpComb (unregistered) in reply to Jojosh_the_Pi
    Jojosh_the_Pi:
    Someone's going to be up to the challenge of "demonstrating" why this is not a WTF.  (Right?  Anyone?) 

    Not to mention there's probably about even odds that someone will end up defending this for real.

    Of course, this is a highly advanced design. You are 100% safe against stuff like this. Imagine the advantages! Nasty old google can't come around and knock down your site just because some stupid user copy-pasted a sensitive link.

    On top of that, you are safe from email address collecting bots and automated spamming systems.

    This also saves lots of server resources. Server doesn't have to do too much logic, and in some cases, it has been shown that hard disk useage DECREASES over time!

    'nuf said.

  • GalacticCowboy (cs) in reply to smbell

    smbell:
    OMG I know that brokerage firm.  Shortly after this happened they reorganized the company and got into the forum software business.

    I think they called themselves something like 'Smart Systems' and make a product called 'Community Served'.  I'm having a hard time remembering the exact names, but something like that.

    ;)

    I'm pretty sure you mean 'Mart Systems...

  • emurphy (cs) in reply to Maximilianop
    Maximilianop:
    I just want to be left alone with the person responsable for letting browser side script comunicate with server side script... just 1 freaking minute... I swear he will make an "I´m so sorry" statement on every blog.


    Of course, a vanilla form feeding to a server-side script can still be more full of security holes than a block of Swiss cheese.  But browser-side scripts do lead to the "rely on browser-side data validation" anti-pattern, so yeah, we feel your pain.

  • mrprogguy (cs) in reply to Maximilianop

    Maximilianop:
    Really, why is it companies keep hiring 2 bucks per day programmers to handle <FONT style="BACKGROUND-COLOR: #ffffff" color=#ff0000>costumer</FONT> data.... THAT is a WTF itself... The rest is WTF by inheritance.

    I believe this was about the banking industry, not the movie and theatre industries.  WTF?

  • Garden gnome (unregistered) in reply to smbell

    Until this post I thought the forum software was a 5 minute home grown job... I can't believe this is commercial! Just ... wow. CAPTCHA == analysis with the 'anal' in a dark bold colour and the 'lysis' in a light, barely readable colour... sums it up really.

  • Peter (unregistered)

    Yes, but have you tried Javascr...- nevermind...

  • John (unregistered)

    Maybe it's just a Honeypot; anyone attempting any of these breaches gets IP banned...

  • Anonymous (unregistered) in reply to TomCo
    TomCo:

    <FONT face="Courier New" color=#ff0000 size=6>nihonAlert('BAKKA YA RO!!!!');</FONT>

    FYI: ???? (?????) is romanized as bakayarou, not "bakka ya ro".

  • Derek (unregistered) in reply to Jojosh_the_Pi

    Maybe it was on a SSL server? Still, the cookies... bad programming...

    captcha was "bozo" haha

  • chrismcb (cs) in reply to Maximilianop

    Maximilianop:

    Really, why is it companies keep hiring 2 bucks per day programmers to handle costumer data.... THAT is a WTF itself... The rest is WTF by inheritance.

    The sad thing is you are off by probably 3 magnitudes on the price of your programmers

  • Vector (cs) in reply to Anonymous
    Anonymous:
    TomCo:

    <font color="#ff0000" face="Courier New" size="6">nihonAlert('BAKKA YA RO!!!!');</font>

    FYI: ???? (?????) is romanized as bakayarou, not "bakka ya ro".



    ??????!!!
  • Vector (cs) in reply to Vector

    Pardon me, with this atrocious forum software's inability to edit posts...

    I meant to say

    ???????!!

    ??????? ? ?????

  • dpm (cs) in reply to GalacticCowboy
    GalacticCowboy:

    smbell:
    I think they called themselves something like 'Smart Systems'

    I'm pretty sure you mean 'Mart Systems...



    No, he got it right.  "Shop smart!  Shop S-Mart!"

    ok
    dpm
  • TomCo (cs) in reply to Vector

    Pardon me, with this atrocious forum software's inability to edit posts...

    I meant to say

    ???????!!

    ??????? ? ?????

     

    It's been a long while since I had to translate, so I had this site do it for me:

    http://www.animelab.com/anime.manga/translate

    Here's what I got in return (using the "translate" button).

    yo ku de ki ma shi ta ! !

    <FONT face="Courier New">-- evening, night clause outflow tree rub, scrape city who </FONT>

    "ba ka ya ro u" wa nan de su ka

    <FONT face="Courier New">-- "ba sent, oder question mark furnace u" I, me, oneself, self, ego what outflow to do sent, oder </FONT>

    Ahhh, now I understand. [^o)]  _jokes_

    The nihonAlert() was just a way for me to show that developers can shout at the "user" in more than just plain old English.  Hope I did not offend with my rough & rusty romanji. [:^)]

     

     

  • David Wolever (unregistered)

    Man, you laugh at this sort of thing now... But I've had to deal with this sort of crap first hand (fortunately not with a bank) and my stomach just turns when I see it...  Please, Alex, spare us (and PLEASE fix the CAPTCHA!)

  • Anonymous Surfer (unregistered)

    But hey!

    At least they knew something was wrong with their security, and they new that they weren't up to testing it themselves, so they brought in someone who did. A lot of people wouldn't have had that level of self-assesment in the first place.

  • Pedant (cs) in reply to R.Flowers

    Actually, in some situations you can't use html pages if you want to keep the clients session. I think it is where the session tracking is in url rewriting...

    Going to have to brush up before the scwcd exam in a few weeks ;)

  • Sean (cs)

    This makes me want to start keeping my money under my mattress.

Leave a comment on “Insecurity Assessment”

Log In or post as a guest

Replying to comment #:

« Return to Article