Hacker Newsnew | comments | show | ask | jobs | submit login

Based entirely on the format of the data that was publicly accessible, it looks like this data, including usernames and passwords, are raw $_POST server variables spit out in a debug log. All the hashing and encryption in the world can't protect you against saving the data to disk, above your webroot, in plain text before you hit your security component. This was pure programmer error, a form of ignorance, but not necessarily a sign of incompetence.



My point still stands in general, though apparently not in this particular case. :-)

Nice catch, by the way.

-----




Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: