Every year or so, Irreal publishes a list of the most popular passwords as determined by those found by exploits. It’s always exciting to see if the perennial favorite password or the hometown favorite (and frequent winner) 123456 will win first place. Every time I see the list my first thought is of Aunt Millie. I’m sure it’s the same for most of you. No one, we think, but the most naive of lusers would use passwords like that.
Sadly, that’s not true. Imagine being a professional developer working for an established company with high profile clients and thinking that it would be a good idea to use 123456 as the default login ID and password for the administrator panel of an applications used by most McDonald franchises to “interview” perspective employees. According to Bleepingcomputer that’s exactly what happened. But wait. It gets better. The security researchers also discovered that the user IDs of prospective employees were simply a counter implemented for each interviewee and that they could access other interviewee’s records by simply incrementing or decrementing the ID.
The result of these two exploits is that the personal information—including, apparently, personality tests—of 64 million people was exposed. After the exploit was reported, McDonalds and the vendor fixed things but who knows how much damage was done.
It’s just inconceivable that a serious company could be making these n00b mistakes. Even “n00b mistake” isn’t quite right. Just about everyone with the least security consciousness knows that those are two things you should never do.