Blog moved to http://karteek.selfdabba.com

Tuesday, August 21, 2007

No patch for human brain

Life is good. It's so good that I'm happy with everything that's happening around me. I'm happy for clouds showering on my head as soon as I enter heavy traffic where I can't stop or find a shelter. I'm happy for my boring life to think about silly things. One of those silly things is one silly bug that crept into one advanced application in a Great Company.

It's not about 'a' project among thousands of projects. It's about one project that actually is common to every person of our company. A web application for which you get access even before you get access to your company email-id. In fact, your email-id selection can be done only through that application.

What's good about that application ? Well, it's cool. It's complicated. It's advanced. It makes my work easy (almost :P, atleast I don't have to run around carrying papers)

What's bad about that application ? Silly messages. Yes. Very silly messages. If you press "ctrl" or "alt", you will get a message box telling you "You are not allowed to press that button" .. What .. WTF ?? I'm not allowed to press a button on my keyboard ??? Come on dude. It's heights of "being secure". Well, yeah. A person who just started using computer can certainly think that the application is so secure that it even detects my key presses.

Yeah, As a person who uses computers little more than an average computer engineer, I found that .. exoskeleton of the application is so weak that any kid can break it. There are some basic principles in coding a web application. I've no clue whether they've followed every principle or not .. but they missed principle Numero Uno.

What is that ? They send password back to my browser. WTF ??? Yep. They send password back to my browser, unaltered, unencrypted. Just plain 0xPassword, thinking that no user will press other buttons when they tell that he can't press certain buttons.

So, that's the only bug that has crept into ? Well, the answer is no. There is a whole family of bugs inside that application.

They use one 32 letter word (*cough*  *cough* its a hash) to login to certain place of the application. Guess, what's funny ? That word is same for you through out your time. It's not changed even if you change your password of that application. Someone grabs it, you can never help it.

If the above one was funny, this one will make you laugh even more. They transmit your username and password as variables using HTTP GET. Which in other words mean, If you use a proxy and you access this application, even though, they use SSL, the proxy admin can see your password as URLs themselves are not encrypted. WTF, in our company we use proxy all the time !!! Which means, my admin can see my "secret" password if he wishes !!!

Application coders can fight with me, come on dude, we've implemented sessions so well that if you don't do anything on the application for sometime, your session will expire and we take you to login page automatically. My response to that would be .. Wow, I'm speechless. Many users. Yes, I do mean, many users of the application forget to logoff and leave the browser window open and leave. Which means that their session is expired, but window is just showing the dead "session" there on the browser. But, our coders forgot Rule Zero that any browser on hitting refresh button will resend the HTTP query. I just pressed shift button and refreshed the browser. Tada !!! My browser asks me whether to resend that data. Here DATA is my username and password. If I click on Yes. My dead session will get renewed and using bug one, I can find the password.

Well, there is one fact. After you join the company, they give you some guidelines for using the application. If you follow them, you are safe. But, our guys forgot one basic thing that "Applications can be patched, but not human brains"

I know how to fix those bugs. I've told them how to fix those bugs. For two times, they've fixed bugs after couple of months. The other times, they dint even read.

1 responses:

Monu Joy said...

Give your help and analysis to that application team...they may be wondering "who is this dude...cant he leave us alone ?" :-)

But, u keep going buddy...

 


Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.

I'm not a lawyer to tell this in a perfect framed sentence. Frame it by yourself if you are so concerned.
Dont think about the content of this blog. Every byte is owned by its rightful owner.
Rest © 2006-2007 Karteek