Yesterday, at work, I managed to earn my salary before 9am and earn a few brownie points.
I was looking through the code on one of our live sites trying to find some performance improvements and I noticed there was some code to get the entire user table, which includes username, email and password for the site and write it out to a web page.
Er I wonder if you can access that page on the development server, ah yes you can. How about the stage server, oh yes you can see all the users printed out in a nice list. But how about the Live site....oh Shit! every single username and password. A very rapid flurry of emails then occurred as I got them (the clients tech team) to make the site safe and delete the offending pages.
A little later when our CTO found out (I had to tell him) a general email went around the department giving everyone a rocket (it wasn't the fault of anyone who currently works here) and reminding them to check they don't release test pages like this in future.
No comments:
Post a Comment