Last time I wanted to log in www.schulhomepage.de, something strange came to my mind. There had been serious security troubles with the login into a school´s website to administrate all pupils´ marks and tests and noone seemed to feel responsible for that – although we tried to persuade the webmaster to do something against this.
Trying something old with something new
I tested exactly the same issue with Schulhomepage´s website. Although they are a portal for rating websites of schools, inform about creating a website and are build by a „professional“ company, they made some critical mistake. I was able to log me into peoples` accounts by guessing their passwords. It seemed to be very easy, because though everyone tells about the importance of an appropriate password, they seemed to be very unimaginative. I think i guessed 10 passwords just by thinking of school, pupils and computers.
As part of unspoken convention, I immediately notified the owner of the site who told me, he will speak to his programmer – i hope so. Sometimes i could be so easy to avoid these big issues. But sometimes…
Last, but not least
I hope SQL-Injection will finally find its way out of the web – thus this will hopefully sometimes become true.