SECURITY
Using the admin password, you could be anyone and see anything
PWNED Welcome back to PWNED, the weekly column where we gather lessons from organizations that didn’t take security seriously enough. This week’s tale of woe comes from a company that left a door wide open for miscreants, but was lucky it didn't have to pay the price.
Have a story about someone leaving a gaping hole in their network? Share it with us at [email protected]. Anonymity is available upon request.
Our story comes courtesy of a reader we’ll Regomize as Manny. A few years ago, Manny got a job working at a law firm. The firm used him to replace an entire team, making him the de facto IT department all by himself.
He soon discovered that all of the company’s data and applications lived in one large web-based interface, which was divided up based on the type of client. So there were areas in the UI for personal injury cases and others for travel refunds, for example.
There was just one big, gaping security hole: a master password that allowed you to log in as any user in the system. If you had this password, which many people in the law firm did, you could grab detailed personal information about any client, even their health records.
“I immediately raised this as a huge security risk,” Manny told us. “But I was told, 'Oh that's the admin password, everyone uses it. Don't touch it.'”
As long as you had the person’s email address that you wanted to impersonate, this password would allow you to impersonate them. This applied to both staff and clients.
“Colleague is off sick? Sign in as them and reassign their work to someone else to complete. Client forgot to fill in a field? Log in as them and complete it for them,” Manny said.
The system itself was 15 years old, ancient in tech terms, and it desperately needed replacing. So Manny was asked to build a whole new system. Naturally, he refused to add a back door, even though that’s what the boss wanted.
“I point blank refused to add any back doors to it,” Manny recalled. “So they promoted every user to a system admin and carried on, business as usual.”
What we can take away from Manny’s experience is that sometimes even the best IT people who know security basics can still be hindered by clueless management. We also know that sometimes in order to pay the bills, IT people have to go along with security practices they strongly disagree with.
In the end, the boss will have the final word, even if that word is “ignorance.” ®

1 hour ago
8







English (US) ·