• my name is missing (unregistered)

    If you use cut rate encryption, you get cut.

  • Tim (unregistered)

    For sure, storing plain-text passwords in the DB is a WTF but for hackers to get into the site there must have been a bigger WTF somewhere like an SQL injection vuln, database backups being stored where they could be accessed etc. etc.

  • van Dartel (unregistered)

    After dutifully having read the context set up (300+ words) I realized I had measurably aged in the meantime.

    Then finally the punch line "sha(x) = sha(y)" arrived. I laughed and felt young again.

    That was short-lived since I next read some seemingly irrelevant continuation of the context: the consultant declined (I imagine because of unavailability, since other possible reasons such as incompetence or unwillingness to fix 20% of the problems for an 80% gain at 5% effort under - assumed - normal payment seem unlikely).

  • Me (unregistered) in reply to Tim

    There's an SQL injection in the posted snippet.

  • van Dartel (unregistered) in reply to Tim

    One example: $_REQUEST[...] is injected into the SQL-query. Also (but perhaps I'm too naïve): nobody can submit code like that unless they are targeting to supplement their payment (after the programming preparations are done).

  • Robin (unregistered)

    Ha, the SQL injection vulnerability was so obvious that I assumed it was the reason for posting this, and totally missed that they were storing plaintext passwords in the DB. Obviously either on their own are massive security WTFs, but combined 🤪

  • Robin (unregistered)

    In fact, further study (noticing that the same daft comparison of hashes is done on the usernames too) reveals that these guys have totally no clue what hashing is even for. Misunderstood cargo cult programming at its best (and with serious consequences).

  • Tim (unregistered) in reply to Me

    D'oh! - I didn't spot they were taking the values straight out of the $_REQUEST object.

    obviously there's a chance they might have validated it first using some code not included here, but given the way they're using SHA1 (which BTW is now considered broken anyway) it seems unlikely they have any concept of security

  • Hans (unregistered)

    To paraphrase Douglas Adams: "SHA1" and "Top-grade encryption" fit only in the same sentence if it is along the lines of "top-grade encryption, unlike SHA1, ..."

  • Stephen (unregistered)

    And don't forget the excellent performance of performing a SHA1 on 2 columns of every single row of a database. With the mention that they couldn't match the orders with the customer, it could be that they have a double sha1 issue.

  • 🤷 (unregistered)

    If only they had used something like "password = SHA1('"$_REQUEST['password']"')". It would still have left the vulnerability against SQL injections, but at the very least I would've felt they somewhat understood what they where doing. You know, like it might be salvagable. If they were on the Titanic, it might still have sunk, but they'd knew what went wrong. Now? Now they built another ship and crash it into the same iceberg and they would still deny the ship was sinking, even if it was 10,000 feet below the sea level.

    Paul should've said: "Sure, I can help you..." while upping his salary to 7 figures. Him not doing this is of course TheRealWTF.

  • rosuav (unregistered) in reply to 🤷

    If these people had been in charge of the Titanic project, the ship would have sailed carefully under the bow of HMAS Melbourne instead of finding an iceberg.

  • (nodebb) in reply to 🤷

    I have done the moderately paid consultant thing before. Sometimes it is just not worth it to inherit a mess this bad and try to clean it up. Who knows how many subtle bugs there are still going to be in the code after you fix the obvious mistakes (read: low-hanging fruit). The company probably wants a fixed-price contract to fix this mess, but that is practically impossible in this kind of situation. "Well, I estimate it will take about 4 months to fix this code-base, but I won't know until I really get into to it. It could very well take longer, much longer. Based on the quality of what I have seen, this code probably has lots of small mistakes that will only show themselves once the big stuff has been fixed. Are you sure you don't want me to start from scratch? I would even be able to give you a warranty for my work that way."

  • Dave (unregistered)

    To misquote the old Monty Python sketch, "This is not a codebase for fixing. This is a codebase for laying down and avoiding."

    If you take on the job of fixing something as bad as this will turn out to be, you will never get the stench of bad code out of your sinuses. It will seep into your very blood, and people will cross the street to avoid having to walk near you.

    Being well-paid is not going to be sufficient compensation.

  • 🤷 (unregistered) in reply to rosuav

    I believe they still would've hit an iceberg, while being on a safari in the middle of the desert.

  • Simon (unregistered) in reply to 🤷

    Sunken costs fallacy. Sink enough of them, and you'll be able to walk across the Atlantic.

  • Erwin (unregistered)

    The leak would have been avoided if Bobby Tables had made an account on the web site earlier that day.

  • WTFGuy (unregistered) in reply to Nutster

    @Nutster: Yeah: BTDTGtTShirt.

    You just know that management budgeted $X for the project, paid the offshore folks about $1.5X total through add-ons and scope error "discoveries" before losing patience, and now want it finished (not fixed) for about $0.1X tops, since it's already so close to done. While what is needed is the full $20.0X that our hero asked for to build it from scratch. That 200:1 hope/reality mismatch is not gonna get bridged.

    Oh yeah, and they want the 1.5 years back too. So in addition to fixing the code, build a time machine.

    It's always amazed me how readily the BizIdjits who know they totally lie to their customers believe the other BizIdjits who're totally lying to them. After 18 months of broken promises and rampant evidence of clueless buffoonery, the customer manager totally believes the vendor's salescritter's claim that it's 99% done and works 99% perfectly. Of course they do; how could it be otherwise? :smack:

  • MiserableOldGit (unregistered)

    I suspect they were asking him to do a fix and finish job, I've been given more of those than I care to count,. If I am in a position to choose, I do what the MPC did as the work to fix such bugged up ill-conceived crud invariably exceeds the initial project effort, and often exceeds dumping the thing and doing it properly from scratch.

    Even if you can get it working (and plug the worst of the security holes) it's still going to be pig, just a washed pig with lipstick on.

Leave a comment on “Classic WTF: Top-grade, SHA1 Encryption”

Log In or post as a guest

Replying to comment #:

« Return to Article