If you discount all the usual sql injections the most blatant was not our but a system one customer switched to after complaining over cost.

The new system was a bit more bare bones featurewize but the real gem was the profile page for their customers.

The only security was an id param pointing to the users primary key, which was an auto incrementing integer :)

And not only could you access all customer data but you could change it to.

But since the new system was built by their it chief’s son we realized it was not much we could do.

  • 8
    Share the site with us. I promise not to see any data, just modify it.

    You'll get a better IT Chief.
  • 5
    @sudo-compile sorry, it was about 16 years ago and after a few years and a new it boss they changed to another us based service that did not have this vulnerability.
Add Comment