- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Yes - because hacking involves hitting CTRL+U on my keyboard in firefox and reading.
All code thats written for a particular website can be viewed at any time - it's called view page source. It's been around, not sure if you've heard of a web browser called mosaic but it was there too.
This kind of website design would get any legitimate company sued.
So instead of taking a page out an HTML for dummies guide from 10 years ago - ramp your site up with the proper security. Until then, you have to be smart enough to realized you weren't "hacked" but were dumb enough to print your login and password to your site right on the source code.
Good luck in trying to "contact the authorities" seeing as no crime was committed, other than you attempting to squeeze a couple brain cells into that hi-tech site of yours.
BTW - heres some acronyms to toss at ya - SSL, SQL. Learn it.
Admin
You're a scammer, and you were caught -- deal with it.
Admin
You realize that there is by no means hacking, viewing a html page source is by all means legal, if you have the resources to persure people for using information in clear view of the public then you certaintly have the resources to make a working website..
Admin
I know, they need to put some non-alphanumeric characters in the pass.value string, that will foil those feisty hackers!
Admin
Perhaps you should go back to school to learn basic punctuation, grammar, and communication techniques.
Admin
own fault, this is so lapse on security. it's like locking your house and hanging the key on the front door. and then claiming someone "broke" into your house.
More like hiding a key in a green plastic rock on the porch and then when someone uses it, you change the lock and put the new key back in the rock.
Admin
Man how stupid can they be? ,,,
Admin
No, it is like when you have the correct code entered on a keypad a robotic hand turns the key that is already in the lock, when you can just turn the key yourself.
Admin
nuh uh... now it says: if (form.id.value=="zzzzzz") { if (form.pass.value=="fffxxx") {
location="http://officers.federalsuppliers.com/agents.html"
and http://officers.federalsuppliers.com/agents.html is now a 404
Admin
Since its 404'ing does anyone have a cache one level down from the agents page? Like a direct link to a particular state?
Admin
Re: Hacked?
I don't file for breaking an entering if I leave my front door open.
Admin
Wow, not just the president is dumb scum, but now I see probably most of US government is dumb scum. And it is threatening you when you uncover it's felony!
Admin
You can't just directly to agents.html ?
Admin
Funny how they aren't even a member of their local Chamber of Commerce.
http://www.palmharborcc.org/
Admin
Dude, don't you get it? The user name and password are in plain text! And the secure site isn't secure! AND the link to the secure site is also in the source code of the page! Oh, and here's his DNS information. Oh, and they changed it to 'warning.html.' And in case you missed it, the comments in the 404 page are a hoot too! And that's not to mention the 6 pages of posting the exact same code snippet because it "changed."
You raise a good question though. The defense of "anyone can do it" couldn't possibly justify it. I don't know whose grandmothers regularly look at source code or not, but mine sure as hell doesn't. I could probably teach her an SQL injection with more ease than Javascript though. My guess is that we can call this hacking with a strong sense of, "you should have known better." If I leave my car out on the street unlocked and with the keys in it, I'd still call it theft if someone drove it away.
Admin
I'd bet you'd file for theft if someone took something, though.
Edit: Point being that even though nothing is stolen here, there still is something inherently wrong with being there. As other people have said, just forgetting a login box and having a "don't follow this link unless we told you to" message is very akin to my parents telling me to stay out of their room. There was nothing ever stopping me from going, but actually doing it violated that bit of trust.
Admin
@FSG CS: Good riddance you scumbags. Die in a fire.
Admin
Your web developer should be fired. This is the absolute, most basic, most incompetent error a web developer could make.
It's generally accepted that hacking involves a bit of skill, and maybe some effort. Anyone that knows how to view the source of a web page will be able to see the login and password for this. I can teach my grandma to view source in two minutes.
Pass this along to your IT (information technology) guys:
http://httpd.apache.org/docs/1.3/howto/htaccess.html
May get them thinking. If they knew what they were doing this is a 10 minute fix. And if you're not using apache, there is something comparable that you can use for your web server.
The fact that this is a real business that makes real money makes this issue even worse.
Admin
Well, this is apparently what you get when you inadvertently hit the Top Ten in digg or reddit or www.adhd.org -- a stream of repetitive crud.
Is there some way to hack digg/reddit/slash-my-wrists to downgrade the popularity of the site or article? It's worth looking into.
As an alternative, how about insisting on any commentator after the first two hundred or so actually registering. Most of these numb-nuts won't bother to jump through that hoop. Those that do might actually contribute something worthwhile in future.
Admin
You're new here aren't...oh, wait, I thought I was on /.
Admin
Thanks for NOT anonymizing this one. People this stupid deserve to get ridiculed and "hacked".
Admin
hehe.
Admin
I sent them an Email about that I don't think they will fix it any time soon though.
Admin
No one should tell them. Scammers. They deserve it, and worse. IMHO.
Admin
Don't try to see malevolence in what can be more easily explained by incompetence and ignorance...
Admin
This script is great, the messages are informative, kindly indicating which, of the password or UserID, is invalid, but it could be further improved:
if (form.id.value=="buyers" && form.pass.value=="gov1996") { location="http://officers.federalsuppliers.com/agents.html"; } else if (form.id.value=="buyers" && form.pass.value!="gov1996") { alert('You got the UserID right, but not the password. The password is gov1996. You MUST enter gov1996 in the password field.'); } else if (form.id.value!="buyers" && form.pass.value=="gov1996") { alert('The password is correct, but not the UserID. Please, enter "buyers" (without the quotes) as UserID.'); } else { alert('Hey, you didn't got anything right. Please, take note of that: The UserID is "buyers" (without the quotes) and the password is gov1996. Put the UserID in the top box, where it's written "User:". Put the password in the bottom box, where it's written "Password"'); }Admin
how retarded. gov't trolls.
Admin
For being so proud of your company and what it does, you sure have some suck ass grammar and punctuation... ;-)
Admin
Admin
I think they got it.... They secured it with a 404 Not Found :)
Admin
boo hoo I'm sure your clients are even less happy at your lack of securing their information
Admin
You are just as ignorant and uninformed as the government agencies that buy your represented services. By the way, your definition of security has no standard. Just as in art, sloppiness is not an art.
freak
Admin
That is so pathetic. Wow.
Admin
Ha ha ha, see how far that goes. Your an idiot, and the standards aren't that "high". Learn capitalization also...
Admin
I checked up on the company at this site: http://sunbiz.org/scripts/cordet.exe?action=DETFIL&inq_doc_number=P96000095495&inq_came_from=NAMFWD&cor_web_names_seq_number=0000&names_name_ind=N&names_cor_number=&names_name_seq=&names_name_ind=&names_comp_name=FEDERALSUPPLIERS&names_filing_type=
Sunbiz.org is the Florida Dept. of State Division of Corporations.
As you can see the company is inactive, and the directors and the registered agent all resigned. In other words, it's a bogus company.
Admin
Actually... My browser doesn't automatically download what's under the welcome mat. My browser do automatically download the source code of the pages I'm visiting.
It would be morally wrong for me to check peoples mats, it's not wrong for me to read what people feed my browser. If it contains a URL, of course I have the right to test it (Its more or less the same thing as a link).
Besides... If the content has been published by the site owner on their own public name, and no username/password is required to access it, it's legal to visit it - at least in Sweden http://www.wired.com/politics/law/news/2002/10/56079 )
But.... REALLITY CHECK... Is this for real? Or is this entire post an early april's fools joke???
Admin
I'm laughing so hard my eyes are tearing up. This is crazy. Good job matey. Haven't had so much fun online in a while now.
Now there is a chance that this response is real in which case I should really be crying because there is no way people are that stupid. No way!
Admin
That's probably the wrong question. What's "hacking" is just a question of opinions. But look at what's happened instead;
In this case, no protection was circumvented, the information was public (it was in your browser, it was on google, etc etc). Hence no security exploitation of any kind was involved, no defenses were circumvented. So this is fairly easy - as no security exploit was used, and no protected data was accessed, no one except the web designers can be at fault if any perceived security was compromised.
Let's say someone sent XSS with theft-payload to an administrator, or used a directory traversal exploit against server, or fooled someone to send you the information believing you were someone you are not... then some sort of exploit and security bypass would have been used. So
So don't bother discussing if it is hacking or not. Discuss if security exploitation was used to access the data. And since it was not, well... it's just a bit of creative websurfing.
I'm very happy Swedish court has made it clear that creative web surfing is legal. If it was not, then anyone could arbitrarily be considered a criminal, and the boundaries would be completely impossible to be certain of.
The moral of it:
Admin
I don't know which is the bigger WTF... the actual story, which although humourous is merely a "n00b" (and very common) scripting mistake or the hundreds of pretentious self-righteous tech "geniuses" spouting the same old tired gibberish ad infinitum. I'm actually embarassed to be a part of it.
Fortunately though, the vast majority of the digg et al trolls will disappear soon enough and things round here can get back to normal.
Admin
Admin
http://officers.federalsuppliers.com/agents.html You didn't even have to put in a pass or user.. The link to the agents portion of the website is write in the super awesome javascript pass authentication ssl sign in block of code.
Admin
When you publish a username and password to a site on the site itself, and post it in a public place -- not only is it not protected, but you are actually inviting access it.
Placing a password in page source is like leaving house and putting up a big sign on the street that says "Neighbors only, please come in.", and taping your front door key to the back of the sign.
I would recommend enabling basic authentication on your web server software's configuration, and storing your password in a private configuration file.
This way you don't have to publish access information along with the site itself, and it shouldn't require any programming or site design changes.
Admin
Hilarious that the password includes a number ("xxx2008"), a technique to make brute-force attacks harder. And meaningless if the attacker can read the source. They could've just done as my boss does, and use the company's initials as both password and username.
Admin
The Federal Suppliers Guide deserves to go out of business. It really does not matter how many clients they've helped, if their system is insecure they will be hacked, and, if they're using anything other than cold hard cash to collect fees, their clients will not be able to protect themselves from crippling fraud.
I realize that the page only gave access to a limited amount of data, but any sort of failure to secure information makes me doubt your internal systems as well.
FYI, you can report them to the authorities, but, honestly what they did wasn't hacking - you left a web page completely insecure and available on the web and there is no law against opening the source of a web page. Any tech-savvy judge would both A. toss the case and B. make you pay lawyers fees.
Admin
Even a few lines of PHP could achieve a lot more security than that!
Admin
its not working anymore.. i tried the password.
Admin
For the love of god, Alex, is it possible to disable replies to 180051?
WTF Readers, we got the hint now. What you want to say has probably been said in the other 500 replies.
Admin
Awww, boo hoo! Business directory scams have been around forever.
Admin
Okay, folks. We have a naming contest now. Up are:
and and Get while the gettings good! We may have a new legend on our hands!Admin
Sweet fucking God, mod this man up! The unwashed hordes of unregistered parrots have arguably turned themselves into a brand new WTF on this point.