Is it hard to hack a webshop and retrieve personal data? All you need is a URL that shows what the structure of the underlying database is and you could find a lot of personal data on that server and harm it. Change a few numbers in the URL or place a semicolon and watch the database crash. It is the first step of ‘hacking’. And also the first step programmers should protect!
Yet again there were media reports of someone who ‘stumbled’ upon a server with personal data from over 300 million people, and the server didn’t even have password protection. This time it was in the US and server belonged to a company that analyses voter behaviour for the Republican Party. Luckily for the owner of the server, it was a journalist who found it and reported it immediately. All he did was fool around with the URL and to find the data. It is really that simple, for most of the data leaks reported in the press in the recent years.
It is not that hard to figure out how a database is structured. If you ever have bought something from any web shop, you may have noticed that the URL of your order page shows the order number of your purchase. If you change that order number, you may end up on the page of someone else’s order and see their personal data.
In that same way, you could do some serious harm to a server. Database software relies on sructured commands ending in a semicolon. If you change the URL by adding a semicolon and then another command, for instance ‘drop database’, it might be this is what will actually happens when you hit ‘enter’.
Simple vulnerabilities like these make many web sites easy to ‘hack’. Some widely used software, such as WordPress, is still being improved and making changes to prevent attacks like these over the years. But it is a sign on the wall how easy you can access files.
If you are able to do one of these things, then someone hasn’t been doing his job properly. And that someone is the programmer. All programmers should know examples of hackers gaining access, simple by changing a URL. They should know that they have to protect the server and the data on it against these vulnerabilities. It is their responsibility!
Protecting your database by properly writing your code may be more work in the short run, but we must demand this from the programmers. It is not something you want to cut corners on. Not just because of the chance that someone will break in and do harm to you or your, but also because you will be held accountable for not protecting your data enough.