- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
... yikes
Admin
"It's perfectly safe, because the admin username is not actually 'admin', it's 'krabathor', so we're safe from hackers, they'll never guess that."
Admin
From the contractor's blither:
Yeah, dude, because wget and curl and fetch and "openssl s_client" respect disablement of right-clicks...
Admin
Those all require some skill on part of the user though. Not like clicking tools -> Browser Tools -> Page Source.
Admin
The real WTF is that they didn't uglify the HTML to make it impossible for those pesky, persistent hackers to make sense of the HTML.
Admin
I hope he remembered to put on the login screen "PRESSING CTRL+U IS EXPRESSLY FORBIDDEN AND WILL BE SEVERELY PUNISHED"
Admin
And also, for greater security, “YOUR IP ADDRESS HAS BEEN LOGGED”. No one would dare hack the website when their IP address, which uniquely identifies them no matter when or where they connect from, has been logged.
Admin
Disabling right clicks should be a hard quality fail, anyway. It's an odious, user-inimical practice.
Admin
Yeah, that's how we know so many sites are hacked by a russian hacker called "proxy".
Admin
I know how they could've made it even "better". Imagine using the password in Javascript to make an autocomplete feature: every character you type, it tells you whether it's correct. That way, the user is prevented from entering the wrong password. Best user experience ever!
Admin
Or (for this page) something like view-source:https://thedailywtf.com/articles/comments/authentic-mistakes if you use Edge.
Admin
Or pressing F12...
Admin
You have typed
passwas your password so far. This password does not match your password; it does, however, match the password for the following accounts:bob91,johnnymnemonic,geoffnotjeff, andsteve. Click on the username to log in as that account.Admin
Nevermind quote characters in the password causing a syntax error...
Admin
Facebook did that to me last month. I logged in as [email protected], it said that's the password for [email protected], and LET ME IN!
Admin
I am both horrified and totally unsurprised by this - despite only having a few years' experience in the industry. It is amazing how many developers are completely clueless about even basic security. (I'm far from expert but still have enough brain cells to have facepalmed when I saw the admin password dumped in the source.) And the mindset which leads them to think "we can make this secure by disabling right click" - presumably because someone told them they could see the password by right click and View Source - is truly horrifying.
Still, at least this was caught in review before making it to production. I dread to think how many similar or nearly-as-bad things are actually out there in production to this day...
Admin
This is a very dumb person who created that WTF, but security was never really on our radar until relatively recently ... not in the courses, not something language guides said much about, and if someone like me was impertinent enough to raise points about security in a design meeting I'd be slapped down as it wasn't my remit.
Even now, plenty of organisations I've been in make no effort to either check whether programmers understand these issues or help them to get better at it, let alone actually review designs from the perspective of security ... the attitude seems to be just STFU and code it, pen-testing will uncover all your screw ups and then one of your co-workers will get to fix them for you. Personally I think that's a plan for failure in all sorts of ways, but they describe it as "best-practice". Take a wild guess on whether the pen-test team actually knew anything approaching what we did about hacking!
Admin
TRWTF is that they forgot to base64-encode the password before sending it to the client. /s
Admin
Everyone knows it's 12345 so we're not revealing any new information
Admin
I worked at a healthcare company where the CTO told me "we trust our employees" and "we pass our audits" yet the production passwords were stored in a notepad file, despite we supposedly came under HIPAA. Security by stupidity is sadly not unusual at all. The non-WTF part of this story is that the company contracting for the website actual reviewed the source. I also worked for a company that paid $450K for building 3 iOS apps from some consulting company, and never looked at the source even once before paying... until I showed up and felt like I lived in a DailyWTF TV show.
Admin
Of course, even if I can't guess the admin password, I still can view the admin screen -- just go to the console and type showAdminInterface();
So the entire admin interface is downloaded as part of the non-admin-user experience? And I can view it whenever I want? THAT should have been flagged in the audit.
Admin
I...I don't know if I trust front-end code written by a developer who doesn't know that F-12 exists...
Admin
Dammit, now I've got to change the combination on my luggage!
Admin
I have mixed feelings. The typical developer who came up in a more naive era might be forgiven for not recognizing some avenues of abuse and perhaps not coming out their design of anything but the most trusted components from a perspective of how will someone misuse this like we do today.
If this was some accidental behavior based user-enumeration type thing, or something where the http response has some subtle difference between bad username vs bad password etc that would be well you did not think hard about security. Sending the password to the client! That is more - well you were not thinking. Lets be honest even without security specific instruction techniques even weak ones like CHAP have existed for a long long time, encountering these as a software person should have caused you think about 'why' they probably exist.
Finally even with little security specific know how, its impossible not recognize password checking a security function. Anyone without rocks in the head should recognize not revealing the fundamental secret to the client is a pretty basic functional requirement. Trying and getting it wrong because its beyond your expertise is one thing, but this more the work of truly unthinking person.
Admin
Ctrl+U. Ctrl+Shift+I. F12. These are all methods to view source that don't require skill, and that developers will often tell their end-users to do when they're troubleshooting a bug. Page source is not secure, or even obscure.
Admin
Oh I wasn't intending to justify what this person did, it was in response Robin's more general observation on security and programmers, he was also "not wrong".
If this guy's response was "well I don't know about security and I never said I did, that's just a place holder in this prototype for someone else to go in and implement it properly ... " it might be forgivable. The right-click comment is just adding three more layers of stupidity on the ignorance. In fact that point alone is just hard to fathom ... once you know the password is coming back to the browser, unencrypted, you have to assume it's knickers down and knees apart. That doesn't even need a coder to work out.
If only he'd thought to store it ROT13 we wouldn't be having this conversation.
Admin
I hadn't even spotted that! But hopefully it's not the case - that would only work if showAdminInterface is in global scope, and it's entirely possible from this code snippet that it's properly hidden inside the local scope of an IIFE or something.
But given the lack of intelligence shown elsewhere in the code and overall story, you're most likely right that it is global.
Admin
F12 here opens yakuake, but Ctrl+U does the job (and, I believe, is more universal).
Admin
The best part, of course, is the "frown face" :( in the wrong password message. So sad!
Admin
Is this really legit? Inline PHP but modern-ish JS? Feels like a made up WTF someone came up with by mixing up their memories from 20 years ago with other things they saw, no?
Admin
Yakuake FTW! Anyway, using Inspect or opening console (CTRL+SHIFT+I) works.
Admin
What's your Developer Tools shortcut?
Admin
"The typical developer who came up in a more naive era might be forgiven for not recognizing some avenues of abuse"
Even in the days of Mosaic and Telnet putting your password in your HTML code would be considered very stupid.
Admin
That was the joke. I was literally saying "Look. You don't even need the basic level of knowing the keyboard shortcut. It's right there in the main menu for you or your average 5 year old hacker to click on."
Admin
The element of surprise! They'll never suspect that we did not change the default admin password!
Admin
This is certainly not "modern JS" or even "modern-ish". Not that it's impossible that it was written recently, but new JS projects don't really tend to use jQuery any more. That, together with the stone-age PHP you've mentioned and the use of a vanilla browser alert for an incorrect password, suggests to me that this is either pretty old or at least written my someone who has just followed ancient tutorials and works for a company that doesn't much care about a decent user experience or development best practices.
Admin
Lets not forget about ctrl-s
Admin
Since we see the whole ready method content and the ShowAdminInterface is not in there it must be in global scope ;)
Admin
I would say that this would never ever be acceptable even for placeholder.
In that case it would be better to just add a big visible button "ADMIN".
I have been in the programming business for around 25 years and in the computer business another couple of years and not even when we build our first webpage with some login functionality in the 90s, this would have been anywhere near acceptable.
This is pure and simple stupid ignorance, yes I have seen similar examples, but I have never ever seen anyone looking at one and consider it OK.
The real problem is that to often the one responsible for ordering the job has no programming expertise at all and bad consultants use this by setting a very high price and then use the high price as a "proof" of their competence to ward of any arguments "if I can charge this much I must be good".
Admin
I don't want to belabour the point, particularly as I'm almost certain that you're right about it actually being global - but this doesn't prove that it is. What if the full context was like this (which would be much better design):
(function() { function showAdminInterface() { // do stuff }
$(document).ready(/* horrific WTF from the article */) ; })();
Admin
@trainbrain27: I am shocked! Somebody still uses Yahoo.
Admin
I remember a post about unique password requirement gone bad:
Sorry, you cannot use password "batteryhorsestaple", it is already in use by user "Randall"
Admin
I'm reminded of the first website I professionally maintained. I wasn't a web admin, I'd been hired to do something else. But the something else included 'maintain this server', and one of the things on the server was this website.
The first thing I did when I found out about the website was to open my web browser and enter the URL. It provided a login page. I entered my brand new user account into the login page, entered my password, and got to the website menu.
I noticed that the URL in the browser ended something like
?username=SomeEd&password=Base64String&admin=no.So I clicked logout, then entered the same base URL but ending it something like
?username=usernotfound&password=somerandomlettersandnumbers&admin=yes. I then used my new admin access to make a new account on the server and to change the password on my regular account. I then went and reported it to my boss to get fixing it put somewhere on my priority task list.(It was not the top of the priority list, because at the time, the issue was mitigated by the classic
the system must be usable to be properly crackedstrategy; I was only able to get into the website like I was because I did that after hours. During normal business hours, the website took about 6 minutes to authenticate, but it timed out at 5 minutes. But I think it did come in at number two.)