

Youtube Live Epic Failure (Plaintext DB Password Exposed) - a904guy

From: http://techcrunch.com/2010/09/12/youtube-live-streaming/<p>The widget embedded is rendering this on the page:<p>Traceback (most recent call last):<p><pre><code>  File "/base/python_runtime/python_lib/versions/1/google/appengine/ext/webapp/__init__.py", line 511, in __call__
    handler.get(*groups)
  File "/base/data/home/apps/yt-live/1.344714172147360500/event.py", line 69, in get
    evs = get_rows()
  File "/base/data/home/apps/yt-live/1.344714172147360500/event.py", line 9, in get_rows
    client = gdata.spreadsheet.text_db.DatabaseClient('kieran@bynd.com', 'projectmetal')
  File "/base/data/home/apps/yt-live/1.344714172147360500/gdata/spreadsheet/text_db.py", line 106, in __init__
    self.SetCredentials(username, password)
  File "/base/data/home/apps/yt-live/1.344714172147360500/gdata/spreadsheet/text_db.py", line 127, in SetCredentials
    raise CaptchaRequired('Please visit https://www.google.com/accounts/'</code></pre>
CaptchaRequired: Please visit https://www.google.com/accounts/DisplayUnlockCaptcha to unlock your account.
======
davidw
One guy's password getting out, in the grand scheme of things, is perhaps not
an "epic failure". I mean, it's a screwup all right, but perhaps some
perspective is in order...

~~~
a904guy
The point is more towards developers/sysadmins. Outputting error handling is
an epic failure in any production environment.

~~~
davidw
If that's "epic", what about those companies that lost tons of credit card
numbers? Or the Therac that killed people? You'll run out of superlatives if
"epic" is putting some debug information on the screen in a production
environment.

~~~
a904guy
And how do you suspect those credit cards were lost? Bad practices? This would
be one of them. The semantics behind the the title doesn't really matter. At
the end of the day, its just a bad idea.

~~~
davidw
No one is saying that it's not a bad idea. I'm just quibbling with the
superlative-inflation going on in the headline.

------
viraptor
Slightly off-topic, but I wonder what is their versioning strategy.
1.344714172147360500 is pretty bizarre. Does anyone know how / why it's used?

~~~
studer
Looks like a high-resolution timestamp (the first 32 bits make up a time_t for
last Saturday).

------
oscardelben
That's why you should never expose tracebacks in a production environment. But
plain text? Really?

------
hellweaver666
This reminds me of the time php.net went funny and started outputting all
their PHP as text/html - they kept their DB credentials in a file included
from their public_html directory and we were able to read the host details and
username and password for their CMS.

Never ceases to amaze me that even big sites make little mistakes like that!

~~~
donspaulding
Using PHP is not a little mistake.

------
aw3c2
That is one embarassingly trivial password

~~~
djb_hackernews
Really? It's two words that aren't commonly found together. The only way I can
see it being trivial enough to comment on is if the guy is related to
something named Project Metal. But I don't know who he is.

------
pilif
Doesn't google docs support OAuth? That password should never have been in the
code to begin with.

------
Thasc
... has anyone told Kieran?

~~~
n3mhxk7rq
No

------
Garbage
Have you reported this?

~~~
a904guy
Yes

------
simplegeek
Just out of curiosity what Python web framework YouTube uses?

------
riffic
I hope kieran changes that password if he uses it elsewhere.

------
a904guy
The widget has since been removed.

------
a904guy
Widget is back. (Working)

