Found this 2 years old beauty today:

public boolean hasPermission(User user, Permission permission){
// TODO
return true;
}

The author quit last year.

The room automation (light, doors, music) of a "smart" Hotel owned by our company is still being processed by an API that runs on one of my ex-colleagues local machine. It has now officially been declared as a "server" and everyone just hopes it keeps working.

Me things

Javascript.

I was an Android developer in a company, I was told to generate a release APK file to test it locally.

So, to sign the apk, I created a keystore file and the password is my name. they decided to publish the file on Play Store.

I left the company years ago, and still on every update they have to put my name as a password.

//TODO: temporary until re-written in new webapp

A commit from almost exactly 2 years ago 😬

a litte piece of javascript pinging the server every minute to prevent user being logged out

$(document).ready(function() {
setInterval(ping, 60000);
});

Our app server still restarts via cron job every night at 22:30, it’s been 3 years :)

At my first job, I got tired of having to type a user name and password every time I debugged the web application. Thinking I was clever, I put in a hack so that if you launched the application with the query string "?user=Administrator" it would log you in as the administrator. So much typing saved!

A couple days after the next release, I realized it shipped like that. In absolute horror, I walked into my boss' office, closed the door, and told him the tale of my mistake.

He just looked back at me, and after a moment or two said, "Loose lips sink ships."

And that was it.

More extensive list coming soon...

Authentication feature was only checking the length of the auth header instead of the actual content. I abused this to make a request to our API from inside our system with a junk header, so we were basically hacking ourselves...

Instead of using actual debugging tools, using print statements and forgetting to remove all of them.

a gentleman doesn't hack and tell

A toast showing "User login successful!" (+_+)

Network Address Translation (NAT). Rooted so deep, most people don't even know it's a hack

I was working for a startup that needed to update 300 machines that had just come from the factory. We had to open all 300 boxes and update them one at a time. I made a simple script that would run a folder full of shell scripts then keep track of what it ran so it would not run the same script twice. It made it so we could just plug the machines into the internet, they would query some server, download my program, and run it. It saved me from having to ssh into every machine and run commands. Well the head programmer guy saw what I did and implemented it as the main program that would update the entire machine. I didn't program anything into it to verify updates, the shell scripts did not return any indication of success or failure, and I made it in less than 3 hours. It was supposed to be a temporary program to be used for those 300 machines only, but ended up sticking around for 2 years.

I bypassed SSL certificate verification because that goddam certificate had some flags which my JVM did not understand and threw errors. Still in prod after 10+ years 🤐

Inline CSS with !important

The entire codebase

Internet Explorer

Built a software portal that tied in with our schools user management systems (fuck that shit btw, was written in Java that tied back to a JS backend) and I couldnt get password verification working probably so put a test in that just let you put the username in and whatever password and as long as the user wasn't currently in use you login correctly (only used it to track download limits and display the student's name)

Planned on fixing it the following week when my contract was supposed to renew, but they never renewed it and every time they have had me come back I haven't had the chance to fix it ¯\_(ツ)_/¯

> I didn't brought any condoms
> Just pull out Anon, we'll buy some later

You could say I went straight to production and now I'm considered "legacy"

Found this gem of a comment in a code base written 4 years back.

/*
Invoke <Service Base URL>/asset/v2/details/<SN> to get asset details
Feeling very bad to include this call, but we really need to use this !!!
This call is gonna take ~20s to respond. I've even increased the overall timeout of this module, just for this call !!!
So, if you are looking to debug any performance issue, I wish you jump directly here,
remove this call and just use master data management (MDM)
P.S: It is not that simple, as MDM and this asset DB (both asset masters) has differences in how the asset is defined :(
*/

Still trying to understand how to remove this costly time-consuming call and replace with an efficient one !!

And, of-course, the original author left 2 years back :(

//Dunno what causes these random connection errors; probably just hiccups in connection between our EC2 instance and Discord
try {
client.login(token);
} catch(e) {
//Do nothing, just prevent it from crashing the main thread and the client will reconnect
}

Silently rebooting device every night cause of memory leaks in CEF.

A vendor gave us what is turning out to be a very stable storage appliance/software, so we're happy for that. But even so, disks fail. So we need an automated way to identify, troubleshoot, isolate, and begin ticketing against disk failures. Vendor promised us a nice REST API. That was six months ago. The temporary process of SSHing(as root) to every single appliance(60-200 per site, dozens of sites) to run vendor storage audit commands remains our go-to means of automation.

if(true)//TODO: implement later
{
//do stuff
}

There was a time when I used to read books. Now, I read source codes. 👨‍💻👨‍💻

inline CSS counts?

catch (Exception e)
{
Debug.Print(e.Message);
}

Like... everywhere...

There are comments in prod code which say "need to change after POC" or something similar in multiple places.

Also, something that was designed to check something, but the call is made in such a way that it always returns true.

Best part, all the original authors left the company before I joined this team.

Our ticket tracking system and our IT service request system are from two different companies that are direct competitors. The source code is full of temporary hacks to just make them play nice until a better solution is worked out. Fast forward a few years and we're abandoning both systems in favor of a single, unified system that handles everything. We currently have maybe 20% of the new, unified system done, which is now hacked together with both of the legacy systems until we finally transition fully to the new system. The current plan is for next year, but the plan six months ago was for this year, and almost no progress has been made since then, so we're probably going to have two ticket trackers and two request systems for a while.

Actually, three ticket trackers and three request systems. The third ticket tracker is used to track work done on tickets that exist in the legacy tracker because the legacy tracker can't do that on its own, while the third request system is the oldest and most cumbersome legacy system of them all.

It is not on production anymore, but it was for long enough. Someone thought it would be a great idea to be able to debug a web app while signed in as a user reporting a problem. How to do it? It's easy. Just check on every request if magic HTTP parameter SIGN_IN_AS=id is present and if it is, sign in as this user. Of course, it worked also with admin account with hard-to-guess id=1.

Problem:
some folks left the angular codebase full of ridicolous console.logs, client was upset as he noticed it during UAT

Solution:
1. add extra script in main template page
window.console.log = function(){};
2. translate it into JSFuck
3. if they ask, pretend it's a super-secret encryption algorithm to improve security

document.form.email.value.indexOf('@') != '-1'

Yikes, maniac.

Not have privileges in prod database, so i have to create a simple 'hidden API func' in the backend of apps that i develop, so it can receive raw query and give response for the results, the REST API is (/getReport). Still Works :/

Having a info.php on the root of an production website ;)

Big plays...

function collapseView(element){
/**
*it doesnt work at the first time, the function needs to be called again
*/
element.collapse();
element.collapse();
}

Literally copy and paste this code..

Best hack in prod?

My Computer Science teacher.
More details to come...

Aber method that was supposed to Check If a payment for a (back then) unimplemented payment methode that returns true as a default value...

A Javascript oneliner to skip the payment... Used to be in produktion for years, before I reported it

Asp.net core. There's a page with the users list and invite form. The invite form opens automatically on page load, if the viewmodel isn't valid. So the invite button opens the quack'th page of the table.

so on android you're supposed to do network stuff like sockets and http requests on a separate thread right. lazy me released an app with a line of code (i forget what it is) that allows me to make http requests in the main thread. rip

function foo (bar){
bar = bar || false
}

Before ES6, still using

Not in prod today, but was part of a group project that we handed in and which got us an A.

The project was to write a PID controller for a robot that would drive along a track using a sensor to follow markings on the floor. During development we were drawing graphs of the PID parameters and sensor input every tick, which caused a bit of lag but no worries - we'll turn it off for the trial runs.

Imagine our pikachu shock meme when we turned off the graphs and our calibrations were suddenly *way* off since we had been oversteering all along to compensate for the lag.

There wasn't enough time to optimize it before the deadline and using sleeps didn't produce the same "type" of lag, so we just made the graph minimize itself when it opened. To this day I wonder if the professor ever saw it or if we got the A despite it.

isValid(){
Return true;

//code that doesn’t seem to work right
}

Me....

try
{
doStuff();
}
catch{}

Inline css and JS. It's on prod still and 1400+ lines of code and counting.

The DataEase system that tracks escheated funds I wrote in the last millennium that lives today! The entire system can fit on a 3.5” diskette 😀 Does anyone remember DataEase? Popular dbms eons ago. Fun fact - Microsoft wanted to buy them to be Microsoft Access but they turned down the offer. 😫

Client wanted to backup the uploaded files by users to a different drive.

The servers I was working on was Windows servers so I just used robosync between the 2 folders, saved as a batch script.

Apparently you cannot filter based on two parameters in firebase so something similar to "select * from table where email='something' and password ='something' " doesn't work .

So a shitty hack is to create a string to concatenate email and password and store it as a field and validate based on that field.

So basically there is a field in database which is

Sha256("emailid"+_+sha256("password"))

App displays a message if user has a lolipop device and system webview version is either old or not installed. As a small hack if version is less than string "70" , I display the message.

I am totally not proud of this.

gcc -W ...

I wrote a NoCors Heroku App to pull out all the CORS hearders from a 3rd Party API to use in the one of the production site. Still no one knows about it.