两个系统之间的“统一登录”——这暴露了密码为免费文本.........在url中!!

这是一个“离岸”的政府项目。幸运的是，它很早就被注意到了。可怕的是开发人员并没有看到这么多的问题-真的让你怀疑。

1-800 dominos will give unlisted address's related to any target phone number. When prompted if you are calling about the phone number you called from select no. The system will prompt you for a new phone number, the system will then read back to you the name and address that's associated to this phone number. Enter in your target's phone number and you now have their name and address. This is pretty common with automated ordering systems and if dominos has fixed this there are literally hundreds more.

测试一些银行柜员软件后，我打电话给技术部安排了一次拨号IP会话。“您想连接到哪个系统，生产系统还是测试系统?”

真实的故事。

我记得申请大学的通用应用程序网站有这个“安全”功能，它宣布将在一定时间后注销你。但是，他们使用了一个警告框，如果你没有真正回应，就会暂停倒计时，使你的会话无限期。

我曾经有幸尝试保护一个网站(ASP Classic)，该网站“需要”密码才能访问管理界面。当然，如果你只是去其中一个管理页面的地址，你可以做任何你想做的，登录与否。

他们想知道自己是怎么被黑的。

In the 1970's Stanford had IBM 2741 hardcopy terminals spread around campus networked to an IBM 360/67. Account passwords were three characters. During logon, the password prompt would overprint a three-position blob of about nine random uppercase characters, so the subsequently-typed password would supposedly be masked by the blob. However, everyone typed their passwords in lowercase, which were trivial to discern against the uppercase background blob. That meant you could usually walk up to any terminal, peruse the hardcopy typically left behind by the previous user, and easily logon with their account and password.