• (nodebb)

    ... yikes

  • Prime Mover (unregistered)

    "It's perfectly safe, because the admin username is not actually 'admin', it's 'krabathor', so we're safe from hackers, they'll never guess that."

  • (nodebb)

    From the contractor's blither:

    it's perfectly safe, because we disabled right clicks, so no one can view source.

    Yeah, dude, because wget and curl and fetch and "openssl s_client" respect disablement of right-clicks...

  • 516052 (unregistered) in reply to Steve_The_Cynic

    Those all require some skill on part of the user though. Not like clicking tools -> Browser Tools -> Page Source.

  • Wharrgarbl (unregistered)

    The real WTF is that they didn't uglify the HTML to make it impossible for those pesky, persistent hackers to make sense of the HTML.

  • MiserableOldGit (unregistered)

    I hope he remembered to put on the login screen "PRESSING CTRL+U IS EXPRESSLY FORBIDDEN AND WILL BE SEVERELY PUNISHED"

  • eth0 (unregistered) in reply to MiserableOldGit

    And also, for greater security, “YOUR IP ADDRESS HAS BEEN LOGGED”. No one would dare hack the website when their IP address, which uniquely identifies them no matter when or where they connect from, has been logged.

  • RLB (unregistered)

    Disabling right clicks should be a hard quality fail, anyway. It's an odious, user-inimical practice.

  • Anon (unregistered) in reply to eth0

    Yeah, that's how we know so many sites are hacked by a russian hacker called "proxy".

  • (nodebb)

    I know how they could've made it even "better". Imagine using the password in Javascript to make an autocomplete feature: every character you type, it tells you whether it's correct. That way, the user is prevented from entering the wrong password. Best user experience ever!

  • (nodebb) in reply to MiserableOldGit

    Or (for this page) something like view-source:https://thedailywtf.com/articles/comments/authentic-mistakes if you use Edge.

  • Ondřej Vágner (google) in reply to 516052

    Or pressing F12...

  • Ondřej Vágner (google) in reply to Mr. TA

    You have typed passw as your password so far. This password does not match your password; it does, however, match the password for the following accounts: bob91, johnnymnemonic, geoffnotjeff, and steve. Click on the username to log in as that account.

  • Peter (unregistered)

    Nevermind quote characters in the password causing a syntax error...

  • trainbrain27 (unregistered) in reply to Ondřej Vágner

    Facebook did that to me last month. I logged in as [email protected], it said that's the password for [email protected], and LET ME IN!

  • Robin (unregistered)

    I am both horrified and totally unsurprised by this - despite only having a few years' experience in the industry. It is amazing how many developers are completely clueless about even basic security. (I'm far from expert but still have enough brain cells to have facepalmed when I saw the admin password dumped in the source.) And the mindset which leads them to think "we can make this secure by disabling right click" - presumably because someone told them they could see the password by right click and View Source - is truly horrifying.

    Still, at least this was caught in review before making it to production. I dread to think how many similar or nearly-as-bad things are actually out there in production to this day...

  • MiserableOldGit (unregistered) in reply to Robin

    This is a very dumb person who created that WTF, but security was never really on our radar until relatively recently ... not in the courses, not something language guides said much about, and if someone like me was impertinent enough to raise points about security in a design meeting I'd be slapped down as it wasn't my remit.

    Even now, plenty of organisations I've been in make no effort to either check whether programmers understand these issues or help them to get better at it, let alone actually review designs from the perspective of security ... the attitude seems to be just STFU and code it, pen-testing will uncover all your screw ups and then one of your co-workers will get to fix them for you. Personally I think that's a plan for failure in all sorts of ways, but they describe it as "best-practice". Take a wild guess on whether the pen-test team actually knew anything approaching what we did about hacking!

  • Anonymous') OR 1=1; DROP TABLE wtf; -- (unregistered)

    TRWTF is that they forgot to base64-encode the password before sending it to the client. /s

  • Edd (unregistered)

    Everyone knows it's 12345 so we're not revealing any new information

  • my name is missing (unregistered)

    I worked at a healthcare company where the CTO told me "we trust our employees" and "we pass our audits" yet the production passwords were stored in a notepad file, despite we supposedly came under HIPAA. Security by stupidity is sadly not unusual at all. The non-WTF part of this story is that the company contracting for the website actual reviewed the source. I also worked for a company that paid $450K for building 3 iOS apps from some consulting company, and never looked at the source even once before paying... until I showed up and felt like I lived in a DailyWTF TV show.

  • DrPepper (unregistered)

    Of course, even if I can't guess the admin password, I still can view the admin screen -- just go to the console and type showAdminInterface();

    So the entire admin interface is downloaded as part of the non-admin-user experience? And I can view it whenever I want? THAT should have been flagged in the audit.

  • Anon (unregistered)

    I...I don't know if I trust front-end code written by a developer who doesn't know that F-12 exists...

  • Naomi (unregistered) in reply to Edd

    Dammit, now I've got to change the combination on my luggage!

  • Hal (unregistered) in reply to MiserableOldGit

    I have mixed feelings. The typical developer who came up in a more naive era might be forgiven for not recognizing some avenues of abuse and perhaps not coming out their design of anything but the most trusted components from a perspective of how will someone misuse this like we do today.

    If this was some accidental behavior based user-enumeration type thing, or something where the http response has some subtle difference between bad username vs bad password etc that would be well you did not think hard about security. Sending the password to the client! That is more - well you were not thinking. Lets be honest even without security specific instruction techniques even weak ones like CHAP have existed for a long long time, encountering these as a software person should have caused you think about 'why' they probably exist.

    Finally even with little security specific know how, its impossible not recognize password checking a security function. Anyone without rocks in the head should recognize not revealing the fundamental secret to the client is a pretty basic functional requirement. Trying and getting it wrong because its beyond your expertise is one thing, but this more the work of truly unthinking person.

  • (nodebb) in reply to 516052

    Ctrl+U. Ctrl+Shift+I. F12. These are all methods to view source that don't require skill, and that developers will often tell their end-users to do when they're troubleshooting a bug. Page source is not secure, or even obscure.

  • MiserableOldGit (unregistered) in reply to Hal

    Oh I wasn't intending to justify what this person did, it was in response Robin's more general observation on security and programmers, he was also "not wrong".

    If this guy's response was "well I don't know about security and I never said I did, that's just a place holder in this prototype for someone else to go in and implement it properly ... " it might be forgivable. The right-click comment is just adding three more layers of stupidity on the ignorance. In fact that point alone is just hard to fathom ... once you know the password is coming back to the browser, unencrypted, you have to assume it's knickers down and knees apart. That doesn't even need a coder to work out.

    If only he'd thought to store it ROT13 we wouldn't be having this conversation.

  • Robin (unregistered) in reply to DrPepper

    I hadn't even spotted that! But hopefully it's not the case - that would only work if showAdminInterface is in global scope, and it's entirely possible from this code snippet that it's properly hidden inside the local scope of an IIFE or something.

    But given the lack of intelligence shown elsewhere in the code and overall story, you're most likely right that it is global.

  • richarson (unregistered) in reply to Ondřej Vágner

    F12 here opens yakuake, but Ctrl+U does the job (and, I believe, is more universal).

  • (nodebb)

    The best part, of course, is the "frown face" :( in the wrong password message. So sad!

  • JustSomeone (unregistered)

    Is this really legit? Inline PHP but modern-ish JS? Feels like a made up WTF someone came up with by mixing up their memories from 20 years ago with other things they saw, no?

  • dusoft (unregistered) in reply to richarson

    Yakuake FTW! Anyway, using Inspect or opening console (CTRL+SHIFT+I) works.

  • (nodebb) in reply to richarson

    What's your Developer Tools shortcut?

  • doconnor (unregistered) in reply to Hal

    "The typical developer who came up in a more naive era might be forgiven for not recognizing some avenues of abuse"

    Even in the days of Mosaic and Telnet putting your password in your HTML code would be considered very stupid.

  • 516052 (unregistered) in reply to konnichimade

    That was the joke. I was literally saying "Look. You don't even need the basic level of knowing the keyboard shortcut. It's right there in the main menu for you or your average 5 year old hacker to click on."

  • Erwin (unregistered)

    The element of surprise! They'll never suspect that we did not change the default admin password!

  • Robin (unregistered) in reply to JustSomeone

    This is certainly not "modern JS" or even "modern-ish". Not that it's impossible that it was written recently, but new JS projects don't really tend to use jQuery any more. That, together with the stone-age PHP you've mentioned and the use of a vanilla browser alert for an incorrect password, suggests to me that this is either pretty old or at least written my someone who has just followed ancient tutorials and works for a company that doesn't much care about a decent user experience or development best practices.

  • (nodebb)

    Lets not forget about ctrl-s

  • David Mårtensson (unregistered) in reply to Robin

    Since we see the whole ready method content and the ShowAdminInterface is not in there it must be in global scope ;)

  • David Mårtensson (unregistered) in reply to MiserableOldGit

    I would say that this would never ever be acceptable even for placeholder.

    In that case it would be better to just add a big visible button "ADMIN".

    I have been in the programming business for around 25 years and in the computer business another couple of years and not even when we build our first webpage with some login functionality in the 90s, this would have been anywhere near acceptable.

    This is pure and simple stupid ignorance, yes I have seen similar examples, but I have never ever seen anyone looking at one and consider it OK.

    The real problem is that to often the one responsible for ordering the job has no programming expertise at all and bad consultants use this by setting a very high price and then use the high price as a "proof" of their competence to ward of any arguments "if I can charge this much I must be good".

  • Robin (unregistered) in reply to David Mårtensson

    I don't want to belabour the point, particularly as I'm almost certain that you're right about it actually being global - but this doesn't prove that it is. What if the full context was like this (which would be much better design):

    (function() { function showAdminInterface() { // do stuff }

    $(document).ready(/* horrific WTF from the article */) ; })();

  • markm (unregistered)

    @trainbrain27: I am shocked! Somebody still uses Yahoo.

  • Blag (unregistered) in reply to Ondřej Vágner

    I remember a post about unique password requirement gone bad:

    Sorry, you cannot use password "batteryhorsestaple", it is already in use by user "Randall"

  • Some Ed (unregistered)

    I'm reminded of the first website I professionally maintained. I wasn't a web admin, I'd been hired to do something else. But the something else included 'maintain this server', and one of the things on the server was this website.

    The first thing I did when I found out about the website was to open my web browser and enter the URL. It provided a login page. I entered my brand new user account into the login page, entered my password, and got to the website menu.

    I noticed that the URL in the browser ended something like ?username=SomeEd&password=Base64String&admin=no.

    So I clicked logout, then entered the same base URL but ending it something like ?username=usernotfound&password=somerandomlettersandnumbers&admin=yes. I then used my new admin access to make a new account on the server and to change the password on my regular account. I then went and reported it to my boss to get fixing it put somewhere on my priority task list.

    (It was not the top of the priority list, because at the time, the issue was mitigated by the classic the system must be usable to be properly cracked strategy; I was only able to get into the website like I was because I did that after hours. During normal business hours, the website took about 6 minutes to authenticate, but it timed out at 5 minutes. But I think it did come in at number two.)

Leave a comment on “Authentic Mistakes”

Log In or post as a guest

Replying to comment #:

« Return to Article