- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Hmm...maybe they should make the password "******" to confuse people, or, you know, do some server side validation rather than handing people the password.
Nice find
Admin
dude, seriously....are you retarded about the point being made?
Admin
do more research before blogging on your lame site. A more polite response would be e-mailing the company and saying "Hey, your login page is insecure by showing the username and password in plaintext on a publically accessable website" instead of your lame excuse for a blog entry.
Admin
Alex you made the front page of Reddit, good job. Hopefully, FSG will get their act together and FIRE their web developer and stop wining about "hacking". This is not "hacking" obviously since the username and password is right there in source code for everyone to see. Since when is examining a sites source code "hacking". FSG, just fire your web developer and hire one who knows what the crap their doing.
Admin
Keep typing it! Maybe it will become true!
Admin
Obvious troll is obvious
Admin
You helped someone make hundreds of thousands of dollers... but can't learn to type?
Admin
Your parenthetical remarks aren't funny at all. If your intention was to let your audience know what you think as opposed to what you say then now you're audience knows how pathetic your sense of humor is.
I'm doing you a favor here. No one else will tell you because they pity you so much. You'll never be Woody Allen and tech advice is miles from Annie Hall.
Admin
... I can't tell if this is real or a joke. Either way it's a funny comment. ^_^
Admin
Ah, yes, of course. Such an e-mail would have been met with ridicule or the like--prompting me to post this "exploit" on this "lame site."
Admin
You don't know what you're talking about. I'm over 30 have a wife and kids and have earned well over $100k per year since I was in my late 20s. I'm also a regular reader of this site.
Admin
Obvious troll is performing a public service.
Admin
They really should have used hidden fields for the user name and password. /sarcasm
Admin
Admin
A key difference here is that Alex experience this directly. He's not relying on the word of a stranger who could simply be trying to damage a company they don't like. Also, the login simply exposed a directory listing of company information that you could find in the phone book. It's not like exposing the protected pages damages anything.
Admin
The federal suppliers guide.?
http://answers.yahoo.com/question/index?qid=20080221122622AAn21Qx
Admin
E-bo-ny and i-ro-ny!
Admin
You provide a professional service, but with kindergarten security. How do you expect to be taken seriously ?? Way to protect your "clients".
Its sad to see such uninformed unintelligent people securing information...
Admin
Obvious troll is entertaining.
Admin
Well, you had no security to speak of. Think of it as a security audit for free. Others would just charge you hundreds of dollars for such info, however, here it is for free. Whatever the case, I really don't see the point of having to LOGIN to view ADS for which people PAY for. Either your goverment doesn't know of Google or other search methods, or something is smelly in your goverment. Anyway, if you want some real security, I bet there's a lot of smart people here willing to do it for you for a small fee ;-)
Admin
Wow, you sure gave Mr. Ambiguous Antecedent the old what-for!
Admin
Google also hacked your site:
http://www.google.com/search?q=site:officers.federalsuppliers.com&hl=en
I suggest you bring the full force of your company's legal team, which I assume consists of a man who drinks gasoline and a golden retriever, to bear on this hacking problem.
Admin
... looking at the generated source of a webpage is hardly hacking. Your grandma could do it.
... or anyone else's standards for that matter.
So he sold a toilet seat to the White House?
Admin
The real WTF is that people are responding to that fake CUSTOMER SERVICE posting.
Admin
It's not Brilliant... it's Brillant! See... no "i".
Please, if you are going to use a former WTF, do it correctly!
Admin
I hope you're happy. That toilet seat comment has me looking for a dry office chair.
Admin
It changed again,
/This Script allows people to enter by using a form that asks for a UserID and Password/ function pasuser(form) { if (form.id.value=="zzzzzz") { if (form.pass.value=="fffxxx") {
location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } }
At this rate it will really be hack proof.
Seriously, they're so inept that they can't figure out what the security flaw is? That's a real wtf.
Admin
More importantly, note that the destination URL is also written there. The username and password are completely extraneous.
Admin
In my mind I'm picturing their office, and everyone is wearing the company uniform, a dark suit, covered with large neon question marks.
Admin
shudder
Admin
Dear Sir,
I understand your embarrassment over this issue, however in this environment Flaming (That is what your comment is called) is never a good thing. If you truly want to secure your site, I suggest you hire a website designer that knows a Java script passing the allowable username and password in plain text is not going to cut it.
How this was discovered. If you go to your login page and right click choosing show/view source you will see how this code is easily accessible. This is not a hack, the information is published in a public environment with inadequate security precautions. Therefore , it is not an intentional exploitation or penetration of any properly secured system and not in any way a violation of any laws governing electronic media. Sorry to add insult to injury.
Respectfully submitted.
Admin
I don't understand the purpose of this company. If the customers are submitting information in hopes of sales, you'd think the contact information would be public, and publicized as much as possible. It can't be for want of privacy, because their leads are coming from an already-public list of government contractors. And if it were a scam, why would they bother changing the password after it was discovered? Why bother building a site with the contact information at all?
I can't help feeling a tiny bit sorry for them, since their web development platform apparently consists of Microsoft Word, an FTP program, and a cheap web host.
A note to any employee is still reading this thread: If you haven't figured it out by now, you are sending the password (and the address of the "secured" page) in the text of your login web page. This does not secure your web page. There are many ways to actually secure a web page, and none of them involve sending the password to the user. Changing the password will not help, because you will then be sending the new password to the user. The other posts are advising you to get a professional to fix your site, but it's likely that even the kids in your local community college's web development course could come up with a more secure solution than what you've currently got.
Admin
What's the wtf comment record? We gotta be getting close.
Admin
It's not that the password and the destination URL are "available on view source".
It's that they're SENT BY THE WEBSERVER TO THE CLIENT. In plain text! In response to the initial HTTP request to the site!
It's not only "not secure" and it's not "available to 5-year-old hackers". It's sent directly to every single reader, immediately on connection!
I think all the analogies so far are inaccurate. I say that this is the equivalent of claiming "hacking" because you went to goatse.cx and it sent you a picture of the inside of a man's rectum.
Admin
Nah, I can type, I just can't spell. Besides, I don't claim to have the big bucks job.
Admin
I don't know if FSG CUSTOMER SUPPORT up there is a joke or for real but putting your business in a catalog isn't going to get you government contracts. The best investment a small business can make is in a lobbyist. A good lobbyist can get your stuff sold when it's neither needed nor wanted.
Admin
Hmmm... Has anybody submitted this WTF to slashdot yet?
Admin
I had no idea right clicking is "hacking". I am in so much trouble! yikees
Admin
AAAAAH! YOU HACKED MY EYES!
Admin
No, a sign that says "This door is locked, you need a key to get in", on a door that has a dummy keyhole but no actual lock.
Admin
Admin
If you are for real, then you really don't get it, do you? No hacking is going on. This is the equivalent of a set of keys with the person's home address attached on the keychain. This is the same as leaving your wallet with your bank card and a note that has your PIN at a restaurant.
In fact, it's even worse, because by stating that this website is "secure" and then blatantly putting the password (!) where it is publicly viewable, the site is operating under false pretenses about their own practices.
Be thankful that someone with a backbone and a sense of morality has pointed this out while the problem can be fixed.
Admin
HAHAHAHAHAHAHAHAHAHAHAHA...
nice trolling.
Admin
Ummm yeah, your javascript is being sent to every user that visits your site. All you have to do to get the username and password is view the source of the webpage and boom, you got the info to login. It doesn't take a hacker to do that just someone who knows how to use their web browser. Honestly why would you put the username and password in javascript like that?
Admin
Congratulations! You've just discovered 'teh Internet'. Now take your hands off the keyboard and back away very slowly.
:D
Admin
I hope their reply is fake.
"sorry our site wasn't protected to your standards" My 6 year old could get pass that login. It required no hacking, just looking at the html of the page.
"Blah wife, blah children, blah long time employee, blah, tons of clients" Even if this isn't a load of bull, its completely besides the point.
"its rude, your comments are not truthful we are not a scam" How about the references he called? They were all being untruthful?
Anyways- Just because what you do isn't illegal doesn't mean its not a scam.
Admin
There is no way this person has a wife AND has had sex 4 different times.
Admin
Oh Oh, they're really on top of this now!
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="zzzzzz") { if (form.pass.value=="fffxxx") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>Admin
Admin
It isn't hacking if the password is written down in plain sight. You need better code.