你见过的最糟糕的安全漏洞是什么?为了保护罪犯,限制细节可能是个好主意。

不管怎样,这里有一个关于如果你发现了安全漏洞该怎么办的问题,还有一个关于如果公司(似乎)没有回应该怎么办的问题。


当前回答

测试一些银行柜员软件后,我打电话给技术部安排了一次拨号IP会话。“您想连接到哪个系统,生产系统还是测试系统?”

真实的故事。

其他回答

In the 1970's Stanford had IBM 2741 hardcopy terminals spread around campus networked to an IBM 360/67. Account passwords were three characters. During logon, the password prompt would overprint a three-position blob of about nine random uppercase characters, so the subsequently-typed password would supposedly be masked by the blob. However, everyone typed their passwords in lowercase, which were trivial to discern against the uppercase background blob. That meant you could usually walk up to any terminal, peruse the hardcopy typically left behind by the previous user, and easily logon with their account and password.

我最后工作的公司的FTP用户名和密码与他们的域名相同。他们不太在意反复警告。

不用说,网站没过多久就倒闭了。没有在线备份,所以他们不得不重建整个系统。但这并没有结束。这次事件后的新安全密码是一样的…加上123。

Right at the start of the .com era, I was working for a large retailer overseas. We watched with great interest as our competitors launched an online store months before us. Of course, we went to try it out... and quickly realized that our shopping carts were getting mixed up. After playing with the query string a bit, we realized we could hijack each other's sessions. With good timing, you could change the delivery address but leave the payment method alone... all that after having filled the cart with your favorite items.

新闻标题是在这条线索的精神…在今天的头版/。 ISP将客户数据库电子邮件发送给数千人

我曾在一家销售点公司工作。他们的软件 很多披萨店都用过。

由客户决定是否更改默认密码。 默认信息在用户手册和手册中打印 这样的。:)

几个在披萨店工作的孩子 我猜他们没有更改根密码(Unix/Linux 基于系统)。然后他们去买他和他的 朋友免费送披萨到他家近一个月 在披萨店注意到之前一年。这让我发笑 每次我想到那份工作。:)