« The Racist | Main | Jen Sorensen Hammers It »

September 26, 2006

Wow

That is helpful!

September 26, 2006 | Permalink

Comments

this flaw was found through normal usage of your website

Yeah, of course. It's normal in using a website to have to alter the ID number in the URL manually. This is pretty funny, but it might backfire.

Posted by: Sanpete | Sep 26, 2006 12:05:45 PM

That counts as normal usage to a lot of people with minimal web skills. I don't know how many times it's happened, for example, that images on a server that weren't explicitly linked to were found by changing the URL of a displayed image from "image1.jpg" to "image2.jpg". Changing ID values in the URL is just one step further than this, and it should not be that trivially easy to see records that should be kept secure.

Posted by: Mary | Sep 26, 2006 12:09:21 PM

That is basic information security 101. Simply hoping people don't tinker with URLs is a big no no. You have to protect data from people who are not authorized to see it!!!! Come on!!!

They probably outsourced the development to a foreign country to save money. And then fired the QA people. And then wanted to launch it a month early. Yeah. Good one.

Posted by: Andrew | Sep 26, 2006 12:37:40 PM

Mary, if that kind of thing is all that was involved, then I accept your point. I often do the same thing to get incorrectly linked images. It seems unlikely that one could have a similarly legitimate or "normal" reason to be changing the user ID part of the URL, but maybe we'll see otherwise if the details come out. It's far more likely, of course, that someone was just trying out the usual easy hacks.

Posted by: Sanpete | Sep 26, 2006 12:56:24 PM

Of course they were, Sanpete, [sonorous] in the interests of ensuring that the privacy of all Americans are protected, and not just the privacy of those using the online resources of the Democratic party. [/sonorous]

Posted by: BruceMcF | Sep 26, 2006 1:01:42 PM

Look, it's an easy problem to fix, and the DNC did notify the RNC of the problem before going public with it.

This is just a simple case of making fun of the RNC operation, not some insidious plot to actually release all the personal and financial records of the millions of RNC subscribers.

Seriously people, sometimes a cigar is just a cigar.

Posted by: Stephen | Sep 26, 2006 1:18:19 PM

not some insidious plot to actually release all the personal and financial records of the millions of RNC subscribers

I don't anyone suggested it was that kind of "cigar."

Posted by: Sanpete | Sep 26, 2006 1:48:47 PM

Um, that would be "don't think anyone suggested." Must be time for lunch.

Posted by: Sanpete | Sep 26, 2006 1:51:51 PM

The comments to this entry are closed.