“click-wrap” circumvention
At work, I double-checked that the special magic bit in the MySQL database is set at “0″ before shipping some prototypes of our embedded Linux thingy out the door. It’s the bit that tells us whether or not the customer agreed to our “click-wrap”. That’s the legal agreement that covers our ass. I follow instructions and then let ‘em go out the door.
Not good enough. The next day while the devices are in transit, the boss wants the triple-damn-dog check. Since it’s a single digit’s worth of prototypes, I go ahead. I log into the first future customer’s web GUI thingy with a username and password and get the legal notice. Everything’s fine. I get ready to go onto to the next one. Instead of declining the click-wrap, I take what I think should be a shortcut, and just hit Shift-<reload> to reload the URL in Firefox. Bam! I’m in. Whoops, that’s not suppose to happen!
Closer examination exposes some very lazy programming. Someone’s going to be busy fixing this just before the long weekend. There are also some related browser cookie problems that could be exploited with just the standard mischief. Good thing they have me around to break everything.
On top of that, I’m now getting paid to brush up on MySQL injection attacks.
