Don’t Worry, Though; This Only Happens When QA Does It

Altering the URL in the wild? Never happens, the developers and project managers will tell you while subtly waving their hands and hoping you’re as weak-minded as they think.  Ignore QA’s shrieking that the application is behaving inappropriately. Here’s the never happening in a big way:

A security flaw in Passport Canada’s website has allowed easy access to the personal information – including social insurance numbers, dates of birth and driver’s licence numbers – of people applying for new passports.

The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.

“I was expecting the site to tell me that I couldn’t do that,” said Jamie Laning of Huntsville. “I’m just curious about these things so I tried it, and boom, there was somebody else’s name and somebody else’s data.”

The site should have told him he couldn’t do that. However, since no real user would do this, the developers of the application didn’t see fit to account for it.

(Link seen on Techdirt.)

Comments are closed.

wordpress visitors