In the past few days, a site selling Durex condoms have had a small ‘exposure’ problem. As reported, the site had been suffering (time length unknown) from several basic security exposures, including even allowing orders to be viewed online, without a login – simply by changing the order number!
I know that this is a ‘simple’ mistake, but come on folks.. This isn’t 1998 where you wrote apps in MS-access and wrapped a report around it! This is (was?) a fully fledged shopping system, with um…confidential information regarding previous orders (hmmm…..size…color…flavors???)
According to the lawsuit, the company took quick action to pinch off the problem, but who knows how long the problem was exposed? What is more interesting to me, is that this problem was found by an unsophisticated user. I mean, he wasn’t a cracker, malware engineer or depth-defying trojan writer. He was a customer that said, “Hmm… I wonder”…. Perhaps we can all take a lesson from this scenario and consider thinking not just outside of the box with security, but also using I suppose accidental techniques to test services and applications. I’m sure my tester friends have a technical term for this, but it just goes to show that sometimes ‘what if’ is a testing parameter.
Usually conversations in this context deal with adult-content oriented websites – those are usually the first and most often attacked. Considering this case, things are a little different but no less important – the last thing you want is your customer information all piled up in someone else’s control.