13

I promised a friend to have a look over his dads website to add a small blog. No big deal, I've got it on my drive, can reuse it just need to adapt it to the environment.

I take a look at what I'm working with and I see the most terrifying piece of "Please, take my data" code I could possibly imagine (And I've seen passwords, in plain text in a script tag). I quote "function queryDB(mode, val) {
var query=" ";
if(mode==="findProd")
query="Select * from Products where ProdNam=" +val;
... (same shit for different cases)
sendQuery(query) ;
}

He literally built the query on the client side sent it to a php script (without validation) and inserted it into the database.
You could literally call window.sendQuery with any sql query and get the result printed into the console.
And other than the plain text passwords guy that wasn't some kid someone knew, this was a "Webdesign" Agency.
Now I took the entire thing offline, called my friends dad, explained it to him and try to sort this out. I would not charge a good friends father but that hack will get a quite hefty bill since my hourly rate just tripled.

And the worst thing : If I publicly name that asshole or warn the people in his portfolio I can, according to Google, be sued. (But, and I assume thats vague enough not to count as bad mouthing, if anyone of you has a customer from Rheinland-Pfalz, Germany with a preexisting page, please have a look at the database interface)
I will call that agency tomorrow, ask for a detailed explanation for why they apparently let trained monkeys write their code and anonymously warn everyone in their portfolio about those flaws...

I don't know if I'm cursed or if there are just that many bad devs but it seems that once a year I have to stumble over some "mistakes" that make me question my sanity.

Comments
  • 1
    Oh I would love to hear how that ends 📍
  • 1
  • 0
    How could you be sued? Did you sign an NDA? So long as you are writing truthful statements that are documented with proof and you didn't sign an NDA, the only reason for a lawsuit (libel) would not hold up in court, because they would have to prove that what you're saying is definitively false. If I were you, I'd most certainly reach out to these clients with a security notice, because this is something that should be brought up to everyone involved immediately for their security. As long as you aren't bad mouthing this agency and just calmly and professionally laying out the facts, you would be legally in the clear.

    If however you are uncomfortable taking that risk, send out anonymous emails to these clients to raise awareness. They can't sue someone they can't find 😉
  • 3
    Update : Just called those guys. To be honest I didn't expect to get anyone on the line other than an intern scheduling appointments but to my surprise I was promptly connected to a project manager who was on site. I explained the problem to him expecting to enter a shouting match but that guy was as horrified as I was last night. I put up the old version again, told him what to write into the console and he completely freaked out.
    He promised to get into contact with my friends dad right away and that this would be fixed and he couldn't explain how something like that happened and that they would check all previous projects.

    After roughly half an hour my friends dad called me and told me that they fully agreed to cover the cost of fixing the problem and so on.

    I really looked forward to letting out my aggressions and then those bastards must go and be decent people...
Add Comment