nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Application Hacking - Stupid Developers

RobertKaucher

So a buddy has a new software package that he has to get up and running for a client. It was totally over-priced for the job it does and you have to call there support line in order to activate it. So obviously activation is done via a network connection.

When he called to activate it today he received notice that their office will be closed this week due to vacation... WTF?!?!?

Of course the client needs this thing to be running now. So we decided to start looking at the network traffic with WireShark. We could see that the app was trying to connect to a hosted MySQL DB on the Internet. With some simple investigation he discovered the username and password it was using. Guess what? Hard-coded credentials that have sysadmin access on the db. Apparently the same DB contains all of their customer database with unhashed passwords and details about their clients.

Can you believe this crap?

Apparently the app just requires a bit field in a table to be set to true and it runs.

Interestingly enough it reports the client's IP address by using What's My IP as there is a text based field called IP address that contains data like "Please do not use what's my IP for comercial use."

And this is the company's flag ship product... Could you imagine this?!?!? So thanks to a locally hosted MySQL DB and an entry in the PC's hosts file the app is running until these people get back to work and can activate the application.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

Everyone

After finding all that out, they still want to run the app?! That is insane!

Asif Dasl

Sounds like a one man band operation! No one is in the office, were ALL on vacation!

undomiel

That tale certainly made my day! It's always amusing to find out what corners have been cut.

RobertKaucher

Asif Dasl wrote: »

Sounds like a one man band operation! No one is in the office, were ALL on vacation!

I don't really know too much about it but I was given the impression that is not the case... Although my friend did mention that this is built on 99% Open Source and is probably totally out of license compliance.

TheShadow

Asif Dasl wrote: »

Sounds like a one man band operation! No one is in the office, were ALL on vacation!

Not always, it depends on the culture of the company. Most of the entire country of Taiwan closes up for two weeks evey year. Ford motors used to close their American plants for a week every year. I believe France has group holidays. Not all the world are workaholics with the U.S. and Japan being the worst offenders.

If you do not have terms of service with a specific expectation then you are always a subject for toast. On the other hand the security of their product does raise my eyebrows quite a bit. A real one man band probably has a smart phone, answering service etc. to try to look bigger and answers even on the beach. It is the life of lawyers, doctors, accountants, market trolls (brokers) and many others.