6

So a while back I had found a hole in a website's security, one that I has used pretty frequently. I was able to change my cookies and become any user I wanted. The only caveat was that I had to log in as a user in order to get things started. But once I was in I could basically be anyone I wanted to be just by changing a few numbers in the user ID of the cookie. They also did all of their user processing on the client side. Even password checks.

A couple weeks back I decided to go back in to see if anything had changed since then. It did! But not in the way I had thought.

So these guys decided that instead of fixing their security hole, they would have users just contact their people directly in order to get a new account.

Wow that's so much fucking overhead for basically being a lazy shit and not fixing the security holes. I mean how bad is your architecture if you can't go in and fix this?

Not only that I found that they actually stripped all of the users of their original subscriptions. So now if you want to get back on your subscription you'll have to fork over another $399. So that means going to their shitty form filling out your name, your number, email, and just hope that someone contacts you via phone call.

I'm glad I dropped this service. They clearly can't get their shit together.

Comments
Add Comment