Guess their user id and you could get someones whole contact list, access their voicemail, or start a 30 person conference call which could dial out internationally with calls billed to the affected user...
The entire top management had user ids below 100...
I found the problem because on login all it set was a cookie with the userid, and so of course I tried changing it.
When I alerted my manager to the problem they put in place 'encryption' of said cookie.
It was base64 encoding.
They were shocked when I broke that too.
Writing this now it sounds invented, but it's not. To be fair this was more than 20 years ago, and a lot of developers did not yet have any understanding of security, so they at least had a shred of an excuse.
I never figured out what thought process led to them considering base64 a security feature. I mean, I could tell just by looking at the cookie it was base64, but I expected that meant they'd encrypted it and then base64 encoded the result. But no. It made me treat every bit of code I was handed with extreme caution.
For private data.
Guess their user id and you could get someones whole contact list, access their voicemail, or start a 30 person conference call which could dial out internationally with calls billed to the affected user...
The entire top management had user ids below 100...
I found the problem because on login all it set was a cookie with the userid, and so of course I tried changing it.
When I alerted my manager to the problem they put in place 'encryption' of said cookie.
It was base64 encoding.
They were shocked when I broke that too.
Writing this now it sounds invented, but it's not. To be fair this was more than 20 years ago, and a lot of developers did not yet have any understanding of security, so they at least had a shred of an excuse.
I left that company first chance I got.