Accidentally Logging in as Admin
by Metalx1000
I work in a field that isn't really known for being tech savvy.
I spend much of my time at work helping people connect to the wireless network, which we've only had for a few years. Our computer systems run an outdated operating system and most of the work-related things we need to do - mostly filling out forms and ordering supplies - are done through a program called FileMaker. If you've ever had to use FileMaker, I'm sorry. I feel your pain.
Close to ten years ago, I had a Nokia N800.
It was a small tablet the size of a smartphone. This was months before the iPhone was released, but I knew that it was going to become more common for people to have these small, pocket-sized computers on them at all times. I wanted my department to be ready. I had been pushing for us to get away from FileMaker. I thought that the best route was to go with our own server with a web interface. Again, most of what we were doing was simple form submits anyway. Some basic HTML forms would be ideal, and with people starting to reach the point of having mobile devices, HTML forms meant that everyone would be able to access these forms from their own devices.
Months went by and I couldn't get the right people to see things my way. I left on vacation and came back a week or two later. Upon arrival, I was informed that we were going to be switching some of the software we were using. While I was gone, one of the higher-ups had gone to a conference where he met a man who talked him into signing us up for his web-based service. I came back to have people come up to me and ask, "Isn't that what you've been talking about?"
It indeed was along the lines of what I was suggesting. Sadly, it was poorly implemented. First, it was not under our control. We were using someone else's servers. I was also not thrilled with the layout, which seemed messy and definitely not designed for smaller screens such as those you find on smartphones. But, it was a step away from FileMaker and it couldn't be as bad as FileMaker, could it?
Well, the first time I went to login, I entered my username and password. I clicked the "login" button, and nothing happened. I refreshed the page and tried again. Nothing. No error, no hourglass, nothing.
At this time I had been using Linux for about a year, maybe two. I hadn't had much trouble with websites, but I thought that maybe the fact I was on Linux was causing the problem. I went to a Windows machine, opened up Firefox, and tried. Still nothing.
I decided to look at the source code of the page and quickly found that the page was running Visual Basic Script. I quickly realized that this website would only work correctly in Internet Explorer. No other browser would work. Being a Linux user, I had to find a way around this.
I'm pretty good with JavaScript these days, but back then I knew very little. But I did know enough to use Firebug, which was relatively new at the time, to troubleshoot websites. I picked apart the code of the page and mirrored the home page to my computer. I made the changes I needed to in order to login. I now had a local HTML file that submitted the form to the website and logged me in.
One of the things I did while rewriting this code from VBScript to JS was remove the excess I didn't think I needed to rewrite. I didn't need the form validation part of the code. I was the only one using it. Well, after a few days of using my little "hack," I went to log in and found that I was logged in as a different user than myself. The user I was logged in as was someone who didn't even work for us anymore.
What had happened? How did I login as this user? My username wasn't even close to his. What had happened was that I was in a hurry and hit Enter before I typed my username and password. Both fields were blank when I submitted the form. Turns out all the validation for the login was done on the client side, which was the part of the code I had left out when I rewrote it.
Since I hadn't filled in a username and password, it had logged me in as the first user in the system, which was not the user it was displaying. Although it displayed one person's name, I was really logged in as a non-existing user. A user that had administrative privileges. I could modify the home page of the site. I could add and delete users. I could see everyone's information. I had "Accidentally Logged in as Admin."
There were many, many other problems I found with that site - all things I found while trying to rewrite the scripts on the site. This is a lesson. It's something I've remembered over the years and have found to be true in many cases. It's easy to spot a poorly written website. People will notice if it's written poorly: It your site can't perform simple tasks properly in all major browsers; If it's just touchy and quirky. People will see this and it's a sign that there are probably deeper problems. Not only are there probably security issues with your site, but you are making yourself a target.
Everyone has to start somewhere. You will make mistakes as you learn. But, if you are paying; someone to perform a service and they are in the business of writing software for you, when things don't work right you need to realize that it might be more than just functionality that is the problem. It very well could be a security problem.
Ten years later and we are still using FileMaker after things didn't pan out with the web service. We have another company that we are trying things out with now. They are 100 times better than the last company, but I've still found some security issues with the site (users can inject JavaScript into forms).
I've sent emails to my superiors at work and haven't heard anything back.
Some things never change.