Derik Whittaker

Thoughts on Software Development, .Net, OOP, Design Patterns and all things cool

IOC(SM):MOC(RM):TDD(NU):SCC(Svn):ORM(L2S):XPP(-):XPP(+):DDD(T+)

Putting username/password info in the URL Querystring

Today a friend forwarded me a URL for a software tool that his department just purchases. This URL contained the UserName/Password needed to access the download site of the software company (no, will not say which company). When you click the URL you have COMPLETE access to the access keys for the products.

https://{RealCompanyAndDomainhere}/i.aspx?InvoiceID={RealInvoiceIDGoeshere}&Password={RealPasswordGoesHere}

What really surprised me is that a large software company (this one is pretty big) would allow their URL's to contain this information. With this URL anyone would be allowed to download the software and have 'legal' keys.

I guess company size/importance does not matter when it comes to security...:(

BTW, I emailed a contact I have at this company to give them the FYI. Lets see what comes of this.

Till next time,

Published Mar 25 2008, 12:55 PM by Derik Whittaker

Filed under: Opinion

Comments

Rich said:

You should check out the Daily WTF (http://thedailywtf.com/). If that site is any indication, this isn't that uncommon.

# March 25, 2008 2:28 PM

Peter Ritchie said:

I bet there's a policy preventing use of POST for security reasons :-0

# March 25, 2008 3:02 PM

Derik Whittaker said:

@Peter,

That would actually be funny if it were the case.

# March 25, 2008 3:22 PM

Name (required)

Your URL (optional)

Comments (required)

Remember Me?

Enter the numbers above:

Add

About Derik Whittaker

Derik is a .Net Developer/Architect specializing in WinForms working out the northern suburbs of Chicago. He is also believer and advocate for Agile development including SCRUM, TDD, CI, etc.

When Derik is not writing code he can be found spending time with his wife and young son, climbing on his bouldering wall, watching sports (mostly baseball), and generally vegging out.