What is the worst security hole you've ever seen? It is probably a good idea to keep details limited to protect the guilty.

For what it's worth, here's a question about what to do if you find a security hole, and another with some useful answers if a company doesn't (seem to) respond.

From early days of online stores:

Getting a 90% discount by entering .1 in the quantity field of the shopping cart. The software properly calculated the total cost as .1 * cost, and the human packing the order simply glossed over the odd "." in front of the quantity to pack :)

The least forgivable security hole, and unfortunately a very common and easy to find one at that, is Google hacking. Case in point:

http://www.google.com/search?q=inurl%3Aselect+inurl%3A%2520+inurl%3Afrom+inurl%3Awhere

It's amazing how many pages on the Internet, government sites in particular, pass an SQL query through the query string. It's the worst form of SQL injection, and it takes no effort at all to find vulnerable sites.

With minor tweaks, I've been able to find unprotected installations of phpMyAdmin, unprotected installations of MySQL, query strings containing usernames and passwords, etc.

Social Engineering:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

From bash.org

True story from my early days at Microsoft.

You haven't known fear until the day you wake up and see the headline on ZDNet.com that morning is "Worst Internet Explorer Security Hole Ever Has Been Discovered In 'Blah'" where 'Blah' is code you wrote yourself six months previously.

Immediately upon getting to work I checked the change logs and discovered that someone on another team -- someone we trusted to make changes to the product -- had checked out my code, changed a bunch of the security registry key settings for no good reason, checked it back in, and never got a code review or told anyone about it. To this day I have no idea what on earth he thought he was doing; he left the company shortly thereafter. (Of his own accord.)

(UPDATE: A few responses to issues raised in the comments:

First, note that I choose to take the charitable position that the security key changes were unintentional and based on carelessness or unfamiliarity, rather than malice. I have no evidence one way or the other, and believe that it is wise to attribute mistakes to human fallibility.

Second, our checkin systems are much, much stronger now than they were twelve years ago. For example, it is now not possible to check in code without the checkin system emailing the change list to interested parties. In particular, changes made late in the ship cycle have a lot of "process" around them which ensures that the right changes are being made to ensure the stability and security of the product.)

Anyway, the bug was that an object which was NOT safe to be used from Internet Explorer had been accidentally released as being marked "safe for scripting". The object was capable of writing binary files -- OLE Automation type libraries, in fact -- to arbitrary disk locations. This meant that an attacker could craft a type library that contained certain strings of hostile code, save it to a path that was a known executable location, give it the extension of something that would cause a script to run, and hope that somehow the user would accidentally run the code. I do not know of any successful "real world" attacks that used this vulnerability, but it was possible to craft a working exploit with it.

We shipped a patch pretty darn quickly for that one, let me tell you.

I caused and subsequently fixed many more security holes in JScript, but none of them ever got anywhere near the publicity that one did.

I hope you can spot what's wrong here. (Terribly wrong, in fact):

String emailBody = "";

for (int i = 0; i < subscribers.Count; i++)
{
    emailBody += "Hello " + subscribers[i].FirstName + ",";
    emailBody += "this is a reminder with your account information: \n\n:";
    emailBody += "Your username: " + subscribers[i].Username + "\n";
    emailBody += "Your password: " + subscribers[i].Password + "\n";
    emailBody += "Have a great day!";

    emailDispatcher.Send(subscribers[i].EmailAddress, emailBody);
}

The last recipient was the happiest ;)

The old IBM System 36 dumb terminals had a keyboard combination that started the recording of a macro. So when a terminal was not logged in, you could start the recording of a macro and leave it in that position. Next time someone logged in, the keystrokes would be recorded in the macro and the recording would end automatically when maximum allowed keys was recorded. Just come back later and replay the macro to autolog-in.

The worst security hole I've ever seen was actually coded by yours truly and caused the Google Bot to delete my entire database.

Back when I was first learning Classic ASP, I coded my own basic blog application. The directory with all the admin scripts was protected by NTLM on IIS. One day I moved to a new server and forgot to re-protect the directory in IIS (oops).

The blog home page had a link to the main admin screen, and the main admin screen had a DELETE LINK for each record (with no confirmation).

One day I found every record in the database deleted (hundreds of personal entries). I thought some reader had broke into the site and maliciously deleted every record.

I came to find out from the logs: The Google Bot had crawled the site, followed the admin link, and the proceeded to follow all the DELETE LINKS, thereby deleting every record in the database. I felt I deserved the Dumbass of the Year award getting inadvertently compromised by the Google Bot.

Thankfully I had backups.

The worst hole I've ever seen was a bug in a web application where giving an empty user name and password would log you in as administrator :)

Once noticed this on the URL of a web-site.

http://www.somewebsite.com/mypage.asp?param1=x&param2=y&admin=0

Changing the last parameter to admin=1 gave me admin privileges. If you are going to blindly trust user input at least don't telegraph that you are doing it!

I saw this one in The Daily WTF.

<script language="javascript">
<!--//
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
    if (form.id.value=="buyers") { 
        if (form.pass.value=="gov1996") {              
            location="http://officers.federalsuppliers.com/agents.html" 
        } else {
            alert("Invalid Password")
        }
    } else {  
        alert("Invalid UserID")
    }
}
//-->
</script>

Nothing can beat this IMHO.

At a university no less, which will remain nameless, they had all their action queries being passed through the URL instead of form posted.

The thing worked a treat until Google Bot came along and ran through all of their URLs and wiped their database.

Surprised no one has brought up social engineering, but I got a kick out of this article.

Summary: malicious users can buy a few dozen flash drives, load them with an auto-run virus or trojan, then sprinkle said flash drives in a company's parking lot late at night. Next day, everyone shows up to work, stumble on the shiny, candy-shaped, irresistable hardware and say to themselves "oh wow, free flash drive, I wonder what's on it!" -- 20 minutes later the entire company's network is hosed.

"Pedo mellon a minno", "Speak friend and enter", on the gates of Moria.

Microsoft Bob
(Credit: Dan's 20th Century Abandonware)

If you enter your password incorrectly a third time, you are asked if you have forgotten your password.

http://img132.yfrog.com/img132/8397/msbob10asignin15.gif

But instead of having security, like continuing to prompt for the correct password until it's entered or locking you out after a number of incorrect attempts, you can enter any new password and it will replace the original one! Anyone can do this with any password "protected" Microsoft Bob account.

There is no prior authentication required. his means User1 could change their own password just by mistyping their password three times then entering a new password the fourth time -- never having to use "change password."

It also means that User1 could change the passwords of User2, User3... in exactly the same way. Any user can change any other user's password just by mistyping it three times then entering a new password when prompted -- and then they can access the account.

http://img132.yfrog.com/img132/9851/msbob10asignin16.gif

I had Joe X's former home address, and needed to know his newer current address in the same city, but had no way to contact him. I figured he was receiving the usual daily pile of mail order catalogs, so I arbitrarily called the 800 number for See's Candies (as opposed to Victoria's Secret, or Swiss Colony, or any other big mailer):

Me: "Hi, I'm Joe X. I think you've got me on your mailing list twice, at both my old address and my new address. Does your computer show me at [old address] or at [fake address]?"

Operator: "No, we show you at [new address]."

Giving 1=1 in a textbox lists all the users in the system.

Being an application security consultant for a living there are lots of common issues that let you get admin on a website via something. But the really cool part is when you can buy a million dollars worth of socks.

It was a friend of mine working on this gig but the jist of it was that prices for items in a certain now very popular online book (and everything else) shop were stored in the HTML itself as a hidden field. Back in the early days this bug bit a lot of online stores, they were just starting to figure out the web. Very little security awareness, I mean really who is going to download the HTML, edit the hidden field and resubmit the order?

Naturally we changed the price to 0 and ordered 1 million pairs of socks. You could also change the price to negative but doing this made some part of their backend billing software buffer overflow ending the transaction.

If I could choose another it would be path canonicalization issues in web applications. It's wonderful to be able to do foo.com?file=../../../../etc/passwd

Committing the database root password to source control by accident. It was pretty bad, because it was source control on Sourceforge.

Needless to say the password got changed very quickly.

Not changing admin passwords when key IT employees leave the company.

Though this is not the worst security hole I’ve ever seen. But this is at least the worst I’ve discovered myself:

A pretty successful online shop for audiobooks used a cookie to store the identification information of the current user after successful authentication. But you could easily change the user ID in the cookie and access other accounts and purchase on them.

Right at the start of the .com era, I was working for a large retailer overseas. We watched with great interest as our competitors launched an online store months before us. Of course, we went to try it out... and quickly realized that our shopping carts were getting mixed up. After playing with the query string a bit, we realized we could hijack each other's sessions. With good timing, you could change the delivery address but leave the payment method alone... all that after having filled the cart with your favorite items.

When I first joined the company I currently work at, my boss was looking over the existing e-commerce web site of a prospective new client. This was in the fairly early days of both IIS and e-commerce, and security was, shall we say, less than stringent.

To cut a long story short, he altered a URL (just out of curiosity), and realised that directory browsing wasn't turned off, so you could just cut the page name off the end of the URL and see all the files on the web server.

We ended up browsing a folder containing an Access database, which we downloaded. It was the entire e-commerce customer/order database, replete with several thousand unencrypted credit card numbers.

People posting their passwords on public websites...

When I was 13 years old my school opened a social network for the students. Unfortunately for them I found a security bug where you could change the URI to another userID like "?userID=123" and become logged in for that user. Obviously I told my friends, and in the end the schools social network was filled with porn.

Wouldn't recommend it though.

I think the blank username / password field for superuser access is by far the worst. But one I have seen myself was

if (password.equals(requestpassword) || username.equals(requestusername))
{
    login = true;
}

Too bad one operator makes such a big difference.

Mine would be for a bank I was a customer of. I wasn't able to log on, so I called customer service. They asked me for my user name and nothing else - didn't ask any security questions or try to verify my identity. Then instead of sending a password reset to the email address they had on file, they asked me what email address to send it to. I gave them an address different than what I had on file, and was able to reset my password.

So essentially, all a hacker would need is my user name, and he could then access my account. This was for a major bank that at least 90% of people in the United States would have heard of. This happened about two years ago. I don't know if it was a poorly trained customer service rep or if that was standard procedure.

I'll share one I created. Kind of.

Years and years and years ago the company I was working for wanted indexing on their ASP web site. So off I went and set up Index Server, excluded a few admin directories and all was good.

However unknown to me someone had given a sales person ftp access to the web server so he could work from home, this was the days of dialup and it was the easiest way for him to swap files.... and he started uploading things, including documents detailing the markup on our services.... which index server indexed and starting serving up when people searched for "Costs".

Remember kids, whitelists not blacklists.

One of the simplest, yet really cost worthy is:

Payment systems that use engines such as PayPal can be flawed because the response back from PayPal after payment was successful is not checked as it should be.

For example:

I can go on to some CD purchase website and add some content to the cart, then during the checkout stages there's usually a form on the page that has been populated with fields for paypal, and a submit button to "Pay"..

Using a DOM Editor I can go into the form "live" and change the value from £899.00 to £0.01 and then click submit...

When I'm on the PayPal side of things I can see that the amount is 1 penny, so I pay that and PayPal redirects some parameters to the initial purchase site, who only validates parameters such as payment_status=1, etc., etc. and do not validate the amount paid.

This can be costly if they do not have sufficient logging in place or products are automatically dispatched.

The worst kind of sites are sites who deliver applications, software, music, etc.

How about an online document manager, which allowed to set every security permission you could remember...

That is until you got to the download page... download.aspx?documentId=12345

Yes, the documentId was the database ID (auto-increment) and you could loop every single number and anyone could get all the company documents.

When alerted for this problem the project manager response was: Ok, thanks. But nobody has noticed this before, so let's keep it as it is.

A Norwegian pizza delivery had a security hole where you could order negative amounts of pizzas at their new and shiny internet portal and get them for free.