- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I believe that I may be just a bit senile in my mid-late teen age, but if this is some super secret private information that no one should have unless given, it should be secured better. A lot better. Who would be as dumb as to use a redirect log-in form, let alone call it "secure?" I'm currently debating whether to log-in or not based on the I-don't-want-an-idiot-judge-to-label-me-a-hacker thing.
Admin
I'm curious with regards to the Computer Misuse Act. Suppose I create a web page with textboxes labeled for username and password and lower down the page I show the username and password. In addition, I write something on the page about not entering if you are not authorized. If I login, am I breaking the law? If so, then why have the login at all? Why not simply say something to the effect of "If you click this link and are not authorized, you are breaking the law." Why even bother with the login?
Admin
A little more digging, and it looks like they have multiple security problems, from their online invoice payment system, to their open mailer forms for everything from applying for a job to uploading documents for printing.
They opened themselves up for this by cold-calling.
Admin
Umm ....So Let me get this straight. You are mad because you and your wife work at a company that can't secure its own website. I suppose if you can't secure your website you can... oh I don't know ...../sarcasm Secure the personal data of all your clients /sarcasm Right. I mean its no big deal just change a plain text password and hey no one has to live with Identity theft. Here while I am at it let me sign you up at freecreditreports.com and lifelock so that way your children and wife don't have to starve to death in the coming months. In fact I know so much about yet another anonymous user that I will change the password again and present idle brainless threats that I can't back up, because hey I can secure my website with a Frackin If Then Else Statement. I am God . . . . . . .
Admin
Ok, calm down. First, nobody did any hacking. If you know how to write simple code for password protecting a site, in which both the username and password or site itself is obtainable independent of each other, then you have to be prepared to expect that other might know how to read code to. Heck, I never "hacked" a thing in my life and nor do I know html and I could have got the username and password.
Second, the author of this blog wanted solid info before investing that much money and you just didn't want to give it to him. He was curious, went to your website (which is free and legal to visit), looked at the html code for it (which is free and legal and unavoidable) and found a direct link, let alone the password. No harm done, chill out, I mean, it's only on the front page of Digg, how bad could it be?
Mike
Admin
You sir, are an idiot. A 2 year old could check the site's source code to get its password and a 4 year old can code a more secured site..
Admin
If they really are putting up a huge database of contact info for government contractors, and the best security they can come up with is subverted by reading the page source...
...wouldn't that make them guilty of (at best) gross negligence, and (at worst)...treason?
Admin
Don't worry, we got your info too Jim Sprecher. I'll make sure to nominate you for e-idiot of the century awards.
Admin
sorry, but looking at the source code of a web page is not "hacking".
Admin
This ought to do it:
function pasuser(form) { location="http://officers.federalsuppliers.com/"+form.id.value+form.pass.value+".asp?redir=agents.html" }Admin
You know, my company's site actually got hax0red once (phpbb vuln, turned out our managed hosting wasn't managed quite well enough). It was a deface, standard thing, "pwnt by superhaxors!" or whatever... and it had a link to their IRC channel.
Did I go on their channel threatening to sue them and berating them for destroying my company?
No. I did not. I said, "Hey, I'm from blahblah.com; looks like you guys found a vuln. Anybody know who did it?" and they said, "Oh, yeah, it was Joe. Hey, Joe!"
So I chatted with Joe a bit, he told me about the method used for the deface, gave me some suggestions, and I tipped my hat and went on my way, older and wiser.
It appears, however, that this is not part of the strategy employed by the business in question. I wish them luck with their chosen alternative.
Admin
So... if a website had this button:
"ONLY ADMINISTRATORS MAY CLICK THIS BUTTON"
Would clicking it count as hacking?
Admin
Fixed that for ya.
Admin
Nice. But, they seemed to removed most of their content. Luckily, Google's cache still has a lot of it: http://www.google.com/search?q=site:federalsuppliers.com
Admin
This could possibly be the most advertising this site has ever received.....
Admin
Captcha is merely a spam filter, doesn't qualify as "security". For some websites with low traffic, an even more elemental captcha system (yes, showing the word as text! maybe with some naive HTML obfuscation!) is enough. It stops spamming bots that target any form with textarea + submit button. There is a difference between "security breach" and "annoyance".
Admin
Pre-emptive denial. "We're not rip-off artists, really we aren't!"
I bet it is indeed an amusing list, but how do you actually get it? (Yeah, this is a gap in my knowledge, I'm an application software guy, sue me.) At a guess, the answer to your question is merely "a cheap one".
Also, this thread has got to be setting all kinds of records for number of users posting essentially redundant responses because they hit the whine from Father of Four and just couldn't wait any longer. No doubt this will convince FoF and Lucy beyond a shadow of a doubt that we are, in fact, a Huge Shadow Conspiracy bent on their utter destruction. Hee.
Admin
wow...just wow.
is this what happens when the nephew of one of the manager's who is "really good at that internet thing' is allowed to design a website?
I'm sure the guy who wrote "Writing Secure Code" just threw his hands in the air and said "I quit.'
Admin
roflmao great find.
Admin
That 'security' is a FUCKING JOKE. You suck and all of the programmers who passed that by do too. This isn't hacking by any means. The password is encoded in plain text on files sent to the client. The password protection needs to be server-side.
Don't complain if people get around your security when it sucks so bad that its done on the client-side.
Admin
TRWTF is definitely the huge amount of "in reply to 180051" to tell that guy how pathetic is their security. I guess most people here are failing their Spot Checks, because this has got to be a troll! Nobody is that stupid ( <10 INT? ) and can still put a couple words together. Or maybe there's a mbuttive failure on sarcasm detectors everywhere except for a few?
I almost hope that post was true, cause it granted us some great laughs.
Admin
How incredibly pathetic. This isn't even "hacking." Hacking would imply that there was something secure there to be bypassed. This is the most amazingly inept piece of coding I've seen in a long time.
Thanks for the laugh. :)
Admin
man... it does make you wonder though.. how people can be so clueless and yet walk talk and interact like regular people... It makes me wonder if the person actually thinks that their legal threats hold any water.. ironically.. i bet he got your number from a similar such list... I bet the people within the system get passed around regularly as viable targets..... I hope you saved the list... If there is any truth to the list being useless i'm sure every single person on that list would appreciate being contacted... If the product is legitimate... no problem... If not... well.... I guess at the very least they should be informed that their data has been compromised by lax security measures.... who knows how many times before you too....
Admin
Is right-clicking your hat allowed?
/50%!!!1!! //75%
Admin
What you don't understand is that your business pretty much got on the front page of Digg.com, so you should be happy about all that exposure. Not really slander IMO.
Admin
So the next level of security will probably be to disable right-click using Javascript so that you can't view page source. Oh wait. Brain explodes Ctrl+U in Firefox isn't a right-click is it? :P
Admin
Yeah but the site is offline when you click login
I suppose they should try something besides Javascript lol
Admin
Here's a bit of gold from the Digg discussion. Let's fire up that eeeeeeeeeeeeeevil hacker tool known as View Source and look at their 404 page - y'know, the generic Apache thing? Well, not quite so generic:
<!-- - Unfortunately, Microsoft has added a clever new - "feature" to Internet Explorer. If the text of - an error's message is "too small", specifically - less than 512 bytes, Internet Explorer returns - its own error message. You can turn that off, - but it's pretty tricky to find switch called - "smart error messages". That means, of course, - that short error messages are censored by default. - IIS always returns error messages that are long - enough to make Internet Explorer happy. The - workaround is pretty simple: pad the error - message with a big comment like this to push it - over the five hundred and twelve bytes minimum. - Of course, that's exactly what you're reading - right now. -->Admin
You my friend are being foolish. Looking at the page/script source provided to the client side it not hacking. Coping and pasting a URL from said source is not hacking.
Using a script the way this site is doing is stupidity. If this site is associated with the government then the web designer and web server administrator should be fired because it is evident their knowledge of web sites is poor at best.
Thank You.
Admin
If you cared that much you wouldn't be in business with a site that made their password obvious in js
Admin
Stop with the copypasta, learn php or find a competent coder.
Admin
Then why did the other "clients' spoken to report "no leads" from your expensive listing? Nice story, but sounds more like a weak scam. And the security isn't "not up to standards" there isn't any security at all! The login and password is right there in the code!
Admin
Well they tried to fix it again:
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="zzzzzz") { if (form.pass.value=="fffxxx") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>Admin
Admin
Our standards are quite a bit lighter than any real standards. Your site doesn't follow even the most trivial security recommendations from the National Institute of Standards and Technology (NIST), which ideally any government site (or site hoping to work closely with government agencies) should follow. You may be real (I personally don't care enough to follow up), but if your website is any indication of your professionalism your actions border on criminal negligence and I seriously doubt anyone in your company is a "good" at what they do. You may have four children whom you love (good for you), but you are the sort of stupid that actively makes the world a worse place.
In closing, I hope you die of cancer.
Admin
4 children? Your genes are so great you decided to procreate four times?!?
Admin
Can it be considered hacking if the source code is public and viewable in a web browser? Really, come on. This is too funny.
Admin
In truth, it's only slander to the web admins. Would you invest thousands and give lots of information to a company that runs a website with copy and pasted script?
Admin
After you enter the login, its a blank page.
Admin
here's the new page: http://www.federalsuppliers.com/warning.html
same username and password, but it goes back to that broken page
Admin
I used to secure my angelfire website like this in 1999! This is serious business!
"...you should of protected..." This sort of complete grammatical ignorance make me die a little bit inside.
Admin
hahaha this is hilarious.
I didn't realize internet browsers could hack sites so easily! LOL
Don't even have to phish or anything! Just right click and read!
Admin
I guess someone never learned how to use an .htaccess file.
Admin
Are you for real?
I'm no hacker, but even I know the old "View Source" trick. These people were doing you a favour by informing you just how UTTERLY INSECURE your website was, rather than it being discovered by someone with more sinister intentions.
What that guy did to get past the password involved about two clicks. A 10 year old could've gotten into that "password protected" section of your site with no real "ZOMG HACKER!" knowledge whatsoever. Time for a security update, me thinks?
Admin
Sending the valid name and password in clear-text to everyone who visits the page in question is what I call willful neglect. And it doesn't stop there, you also give away the URL you will go to after entering the right name & password. I bet anyone who knows how to use google could find out about that 'hidden' page too.
So now instead of shouting "hackers!" you should be glad someone helped you finding out about your complete lack of security and fix it. ASAP!
"No, now go away or I shall taunt you a second time." If I may quote Monty Python's Holy Grail here...
Admin
Too incompetent to be true. If this is not a bad joke then a bunch of people should get fired immediately there.
Throwing highly secret login credentials unasked at every person available - naughty boy if you use them, no? Oh, you don't even HAVE to use them, just follow the the target link (still off-line) - is this then still hacking the site?
<bang head to table>Admin
If your tech depart. wasn't incompetent it would be a problem. I wonder how many other US departments are unsecured and incompetent? "wasn't protected" yep that sums it up. ass.
Admin
i believe you are a legitimate individual working under a perfectly legitimate organization, and so i am writing this under the hopes that you will understand that if you attempt to undertake legal action under the concerns of being "Slandered" you will fail. miserably. look up the word slander, reread this post and realize that. knowing how expensive lawyers are, i would imagine that that venture would actually waste more resources on NOTHING, rather than salvage the situation. what this individual has done is point out how insecure your system is. please invest in one that isn't insecure. your source code is public and that is the reason why we can see the login details requested. there is no hacking involved. it is clear that the person you hired to do your website took advantage of your naivety and skipped the proper work to create a back-end appropriate for a "SECURE" system. if this individual is still in your company, FIRE HIM. there are many websites on the internet that teach you how to create the most SIMPLE login system that encrypts and decrypts shit. here is a short overview of what SECURITY on the internet means: http://www.eioba.com/a69760/secure_website_login_programming_with_php_mysql i hope this helps you. best of luck.
Admin
Considering they appear to be running a scam, naw.
Admin
So never mind that the idiot who "secured" the agents page has potentially put the privacy of your clients at risk. "Wasn't protected to your standards"? It wasn't protected to ANY even remotely decent standard! If you want to thank someone for putting the company at risk, "thank" (i.e. "fire") the utter halfwit who "secured" that page, and GENUINELY thank the person who discovered and exposed that little loophole. If it gets fixed, at least something good will have come of it. Hey, if you want ME to fix it, I'll rewrite the whole damn database for the low low price of $65 an hour. And guess what! It'll be secure. Not quote-unquote "secure" wink wink, it'll be ACTUALLY SECURE.
And seriously..... it doesn't take a hacker to view source on a web page and get the password when the security is THAT bad. Honestly, my mother could have achieved it with minimal guidance.