Page 1 of 1

Most shocking noob mistake you've seen on a major website?

Posted: Sun Dec 23, 2007 6:31 pm
by Josh1billion
Back in the day (around 2000), Echelon (now known as Swirve), the company that created Utopia and Earth 2025 (well-known browser-based games), had a free forum service that I used for a while. Good forum service overall, but something I look back on today and think "wtf were they thinking??": they didn't use cookies, nor sessions. Nope, your username and password were stored as string queries ($_GET variables), completely unencrypted. So if you went to copy-and-paste a link for a particular thread, and forgot to remove the &username=blah&password=blah from the URL.. danger! That actually happened to me once.

Posted: Sun Dec 23, 2007 6:54 pm
by s.dot
Wow. I never even did that with my most basic learning php scripts. I did however store passwords in a database table in plain text.

Anyhoo, most production level sites have their error reporting turned off, so it's hard to see errors that aren't obvious in design like the one you mentioned. The most I got is just seeing undefined variable notices.

Posted: Sun Dec 23, 2007 8:32 pm
by Benjamin
I took out a live site that has over 500k hits an hour with 4mil users for about 30 minutes because the stupid FTP client that they wanted me to use was finicky.. The cause? I was moving the mouse and accidentally clicked at just the right time to cause the FTP client to *think* that I wanted to drag & drop the config directory into another. Not knowing where the hell it put it, and being as there were hundreds of directories, I had to re-upload the entire folder from backup. With the amount of money this site made, that could have easily been a $10k mistake or more.

Posted: Sun Dec 23, 2007 8:51 pm
by John Cartwright
Not so much my mistake, but I've come across systems that previous coders had done which stored credit card details in plain text. I quit the next day. How can anyone work with those kinds of business ethics?

Posted: Sun Dec 23, 2007 11:09 pm
by RobertGonzalez
I think my biggest issue was leaving database error statements inside of die() calls that were totally unnecessary (error handling would have been a lot better than die()).

Posted: Mon Dec 24, 2007 12:11 am
by Ollie Saunders
Jcart wrote:Not so much my mistake, but I've come across systems that previous coders had done which stored credit card details in plain text. I quit the next day. How can anyone work with those kinds of business ethics?
Whoa, what did you say before you quit? How long had you been working there?
I think my biggest issue was leaving database error statements inside of die() calls that were totally unnecessary (error handling would have been a lot better than die()).
Yeah we've all done that it's the classic way people are taught PHP.

Posted: Mon Dec 24, 2007 12:19 am
by alex.barylski
In or around 2002ish the CodeProject.com had a bit of hiccup because some goof ball used the JS (which was allowed if I remember correctly) in his signature to switch the banner ads...

So for an hour or so when you logged onto CP instead of seeing banner ads for Dundas Charts, or ASP.NET tool, etc...I seen banner ads of my *other* favorite kind of sites. :P Because I appreciate CP...I did not sign up for any free accounts. :P

Posted: Mon Dec 24, 2007 12:29 am
by timvw
Late 2005 i noticed that a couple of friends doing an internship at [url=http:/www.unesco.org]UNESCO[/url] didn't even know about sql injection... But i think the defacing of that site made news covers :D

Posted: Mon Dec 24, 2007 5:12 am
by Jenk
I don't know if you chaps have heard of BACS? ( http://en.wikipedia.org/wiki/BACS ) basically just about every company in the UK uses it to pay it's employees, and other beneficiaries, money (salaries, trades, loans, etc.)

My role involved supporting the system for a very large company, and it's subsidiary clients and child-companies. Anyway, to cut a long story short, this involved 200 employees cutting and pasting data from many files to a shared spreadsheet, then sending me the spreadsheet which I then exported as a CSV, ftp'd to the transfer server and submitted a BACS job. The sharp witted may have already spotted a huge margin for human error.. missed payments were very common, the worst being a £66million payment from one bank to another, which incurred a HUGE fine nearly doubling the cost, all because a line was missed when copying and pasting.

The catch? There was literally millions of pounds per month passing thorugh my hands. A few things with that, none of the data was encrypted, all plain text, I had every employees (and client) bank details, including how much they earn (my company always made it a hoo-hah that no one knows what their peers are earning) and to top it all off, the only verfification needed in these files was that each file submitted has a "total" in the header, and the list of payments underneath. Some files has as much as 50,000 lines of payments. 5p off of each line, tallied into an extra line which just so happened to have my Cayman Islands bank details in and I would have been a very, very rich man very, very quickly. Good thing I am honest, eh?

Posted: Mon Dec 24, 2007 5:20 am
by matthijs
Jenk wrote:5p off of each line, tallied into an extra line which just so happened to have my Cayman Islands bank details in and I would have been a very, very rich man very, very quickly. Good thing I am honest, eh?
Yeah sure! You are writing this from some nice white beach somewhere in the pacific.
You just pretend not to, to prevent Scotland yard finding out your whereabouts.. :)

Posted: Mon Dec 24, 2007 5:25 am
by s.dot
Office Space esque. LOL

Posted: Mon Dec 24, 2007 9:39 am
by John Cartwright
ole wrote:
Jcart wrote:Not so much my mistake, but I've come across systems that previous coders had done which stored credit card details in plain text. I quit the next day. How can anyone work with those kinds of business ethics?
Whoa, what did you say before you quit? How long had you been working there?
Gave him the usual crap about personal security and identity theft, etc, etc. Once he told me he pretty much didn't care about his user's security and nothing bad will happen with the stored credit numbers I quit right there and told him I was reporting his website in a month so I hope he'd changed his mind by then. I regret not reporting his business right there.

I wonder how many other sites that you can supposedly "trust" with your financial details. Much of the reason I have a paypal account and will never input my credit card details anymore.

EDIT | Wow just read Jenk's and that sure beats the crap out of my story.