CodeSOD: Classic WTF: Top-grade, SHA1 Encryption
Is it that time of year already? Here in the US, we're prepping for the Thanksgiving holiday, so let's take a trip way back into the archives, and learn about the life of a moderately-paid-consultant. Original --Remy
Paul B always thought of himself as a moderately-paid consultant. With no real overhead, a policy against ties when meeting with prospective clients, and a general pickiness about the projects he'll take on, his rates tend to be pretty low. One company that looked right up his alley was a mid-sized manufacturing company that wanted a custom webshop. They went to the highly-paid consultants in town, but weren't too happy with the six-figure price tag. Paul's quote was in the five-figure range, which he felt was pretty moderate given that it was a several month project. Of course, the company wasn't too happy with his quote either, so they searched high and low for a three- or four-figure price. They eventually found one overseas.
Despite losing the bid, Paul never bothered unsubscribing from the company's mailing list - there was always something exciting about learning the latest in gimbal clamps and engine nozzle extensions. About a year and a half later, he received an exciting newsletter announcing that the webshop was finally live. Out of curiosity, he created an account to check things out. A few days later, he received an apology for lost orders - they didn't know who had ordered what, so they sent it to everyone who had signed up. And then came the "data breach" email - everyone's personal data (which, for Paul, was just his throw-away email) was now in the hands of some hackers. You get what you pay for never rang so true.
The day following the breach, the company contacted him to see if he was still available for consulting. Apparently, their overseas programmers couldn't figure out how anyone was getting in the system, since they had used "Top-grade, SHA1 Encryption." Curiosity won the day, so Paul asked for a copy of the source code. He couldn't find anything related to encryption, so he performed a search for "sha1". This was the only line that came up:
$result = mysql_query( "SELECT * FROM users " . " WHERE SHA1(username) = SHA1('" . $_REQUEST["username"] . "') " . " AND SHA1(password) = SHA1('" . $_REQUEST["password"] . "')");
Paul told the company he couldn't help them out, and suggested they go to the highly-paid consultants. A few days later, the company's newsletter reported that the webshop was closing down for some "upgrades" - a year later, it's still under construction.
[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!