SBN

Me no hungry

I don’t know how those of you who blog on a regular basis do it. Props to you for the constant effort and dedication, I just can’t keep up. Things are good with me, been busy with planned projects but even busier with unplanned projects that seem to have appeared from nowhere.

Here is a funny little story I thought I’d share with you. I am fortunate to work for a company that provides lunch for the employees every day. Yes, every day they have lunch brought into the office for us, it is an awesome benefit for sure. Recently they decided to change things up a bit and give us the option to order our own individual lunch. Great idea, if you are in the office you can log into a website where you are given a list of local restaurants, choose what you want from any restaurant and it will be delivered with your name on it. You are allowed a certain dollar amount to spend, and if you go over that you pay the difference. Can’t beat that deal right….or can you?

I decided to have some fun with the system, with permission of course. What types of things can I do to this system, let the fun begin! I was thinking of all the different types of attacks that I could use to beat the system, each one becoming more complicated than the next. Then I sat back and thought for a minute….why over analyze the situation. I decided that before digging in on a technical level lets just try some default passwords. BINGO!!!

Before you could say enchilada I was able to gain admin access, make myself an admin, give myself a $1000 daily food limit, create new employee accounts, etc. The next day I ordered food for a bunch of us on my account to see if it raised any red flags…it didn’t. Then I decided to order on behalf of an employee that doesn’t exist and see if that raised any red flags….it didn’t. I mean come on, an employee named “Fat Guy” ordering family size portions of cannoli’s and cheesecake should at least draw a little attention. The fun went on for a few days and needless to say we all ate pretty well that week. 😉

DO NOT USE DEFAULT PASSWORDS!

Claroty

–DanO

*** This is a Security Bloggers Network syndicated blog from Techdulla authored by Dan. Read the original post at: https://techdulla.wordpress.com/2009/12/01/me-no-hungry/

Application Security Check Up