Programming errors on a website that helps commuters carpool to work are exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation. The bugs, discovered last month on RideMatch.info, allow hackers access to a variety of personal information, including …
And the score is ...
It's a draw - Homeland Security 1, SQL Injection 1
Where's Bobby'); drop tables when you need him?
Well done, Reg., on withholding the military institution' identity, but you mentioned the name of the site, so anyone who's interested can try their SQL injection skills before the developer gets round to fixing it.
Mine's the one with the collection of punctuation and a browser in the pocket...
Required by law?
Private companies are required by law to enter detailed employee information into some weirdo carpool system operated by a Quango??
The California Socialist Collective is at it again (in spite of being bankrupt).
All I know about SQL is what I've read on various websites (I'm not into databases) and all I know about designing websites is what I've managed to scrape together and bodge up by simple playing around (I can make you a home page with a few pictures).
But (FFS) even I know what the SQL injection vulnerability is, how it works and how to fix it (in principle). If a professional developer (gets paid to do that job) or a company produces a website that has this vulnerability then they are guilty of gross negligence and should have the arse sued off them and be liable for all resulting damages due to this weakness in their product.
There is no excuse for SQL injection bugs to still exist. Anyone who writes software with such a bug should have their rights revoked, starting with breathing...
Ive seen this time and time again in my day job part of which is security signing rubbish like this off, and 9/10ths of the time you follow the trail back to who wrote it and its some offshored programming team completely ignoring security design principles. They deliver exactly what their wooly wrote by managements contract dictates, a working gui with no sanitisation of input or anything.
Queue trapeze group stating "we are not aware of any such problems in our software" in the PR statement. Of course theyre not, they wont have actually have it tested and risk generating more non chargeable cost for theimselves will they???
Whats worrying is that people are being mandated to put their information into closed bespoke written systems like this, which have not been evaluated for fit for purpose by people with a clue.
Thus exposing those of us who care about privacy against our wishes to risk caused by their crappy designs.
Allan George Dyer
Ye. If you want to brake the law to find out that infomation. Ideot.
That's why I suggested that Bobby might want to join a carpool... there's no law against putting your legal name into that database, is there?
Anyway, as I was pointing out the futility of the Reg leaving out the military institution's name when it could be found from the flawed site, it is probably reasonable to assume that anyone wanting to use the information for nefarious purposes might be unconcerned about breaking the law.
What's an Ideot?