DEV Community

Cover image for What Are Some of the Worst Security Practices You’ve Ever Seen in Software Development?

What Are Some of the Worst Security Practices You’ve Ever Seen in Software Development?

dev.to staff on April 29, 2023

Was it a cringe-worthy password on a post-it note, a poorly secured database, or a misconfigured server? 😢 What are some of the biggest security mi...
Collapse
 
bradtaniguchi profile image
Brad

Direct usage of eval used on end user input to perform basic math, from within nodejs.

Not only did this mean allowing users to perform "remote code execution", but to even get eval required bypassing codebase checks.

The worst part was this was being performed by a "senior" developer and part of an app that would rely heavily on end user input. They got demoted from the project soon after and we removed the offending code.

Collapse
 
kalkwst profile image
Kostas Kalafatis

A production, internet facing database, with credentials "admin" 12345 🥲

Collapse
 
pcjmfranken profile image
Peter Franken

The very recent oopsie whoopsie by Google has got to be one of the very worst ever:

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
[...]
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Source: twitter.com/mysk_co/status/1651021...

Google has since announced that they have plans to offer proper encryption "down the line" 🤠

Source: twitter.com/christiaanbrand/status...

Collapse
 
mistval profile image
Randall

Wow, welp, I was interested in using this feature but if it's not encrypted on-device with my own keys, then no thanks, I'll just continue keeping a pile of recovery codes in my safe deposit box.

Collapse
 
san5431 profile image
Gary Lee • Edited

Once worked on a CMS project. Some content are sensitive so there was a requirement to perform IP checking to make sure users can only access those sensitive content inside the office.
A senior guy implemented this requirement in this way: When the user's IP is not inside the office, add a display: none css style to the content.

Collapse
 
richard809 profile image
Richard Holguín

This is scary and funny.

Collapse
 
aarone4 profile image
Aaron Reese

Order tracking website where the user account was a URL parameter with no password/token. You could see order details for any and all of their customers including delivery address and what was in the order.

Collapse
 
dhanushnehru profile image
Dhanush N
  • Making the security of database accessible to all the services instead of only the services needing database access.
  • Making the website vulnerable to clickjacking , and cross forgery attack etc

And a lot more, if I have to say I can keep on saying as I have read and seen a lot

Collapse
 
jcubic profile image
Jakub T. Jankiewicz

I once was fixing PHP site where there was a login page but other php pages did not check if user was logged, and "hidden" pages were trivial to guess. The site was created by some high schooler and other not related high schoolers (probbaly) was messing with the site without the admin password or a need to login. The owner said that the images that he upload was disappearing, it was funny actally to see why by looking at the code.

Collapse
 
cloutierjo profile image
cloutierjo • Edited

An sso protected web site where you could bypass the sso by adding 'username=any user' in the url

Collapse
 
alohci profile image
Nicholas Stimpson

Not actually software development, but back in the last millennium I was once inducted into a company IT team where the network administration password was a four letter dictionary word.

Collapse
 
aarone4 profile image
Aaron Reese

VBA code running a direct SQL query using the sa user account (and unencrypted password)for the connection.

Collapse
 
shahab96 profile image
Shahab Dogar

I've seen database credentials passed into clients as variables with the actual secret values in comments next to them.

Collapse
 
yn profile image
YaakovN

Access control on client side, not server side, in in-house application. Could be bypassed by loading binary and calling client proxy functions directly.