Security through obscurity is a well-known term in the computer industry, but what if the security is not even obscured? Security through obscurity implies that some efforts were made to hide something, anything. But this does not always seem to be the case – because if it were, the people responsible would not just be ignorant, but also stupid; hence the term “security through stupidity.”
Maybe I am being a bit harsh; but let us look at a few examples.
The information was there all along
In 2021, a journalist for St. Louis Post-Dispatch discovered teachers’ social security numbers on the state of Missouri’s website. The sensitive information was not directly visible on the webpage, but it was there if you right clicked and selected “view source” in your browser.
Allegedly, this journalist had “hacked” the website to gain access to this information. Let me repeat that: The state of Missouri leaked social security numbers on their website and threatened the person who found out and reported the vulnerability.
The stupidity here is not only the governments lack of security, but also how they chose to react.
Ask and you shall receive
Ever wondered what would happen if you replaced your user id in the address bar with someone else’s? Maybe you would find some personal information, or maybe you would find a lawsuit.
A Norwegian developer found himself in such a situation. He wanted to make a mobile app where you could find the owner of a vehicle using the license plate. This is not secret information by the way; you can get it by sending a text message to the Norwegian department of motor vehicles.
This developer wanted a more seamless interaction however, and he found a solution. When logged into the department of motor vehicles, he would see his own car details. No surprise there. However, by changing the address in the browser he could find the owner of other cars as well. He decided to use this to generate his own database of vehicle information. Scraping the information using publicly available APIs.
The department of motor vehicles were not amused when he told them he had found a solution to his problem, and they presented him with a lawsuit. Now the most astonishing part, from my point of view, is he lost the first trail, which tells you a lot about the legal system and its understanding of technology. Luckily, the verdict was later overturned and once again we are allowed to change the address bar in the browser.
This may be my favorite. Probably because I used it with immense success in the past. It is also a variant of the “ask and you shall receive” listed above. It boils down to a simple “let’s trust the user’s input.”
In my case, I discovered that I could get my hands on the license key to any combination of Volvo car and a DVD containing map updates for the satnav. The website handling license requests worked like this: You entered your cars VIN, vehicle identification number, and a list of previously bought maps for this vehicle would show up. Select one, enter your email address, and a license key would arrive in your inbox along with a “thank you, and have a nice day.”
Now, what do you think happened if you changed one of the available maps with a map you did not legally own? Bingo, you got mail: “Thank you, and have a nice day.” And just how do you change this you ask? Well, developer tool in Chrome, Edge or Firefox would do fine.
If you want to hide or protect information, at least give it some effort. More importantly, if you get a heads-up that you may be leaking secrets; thank them for sharing, fix it, and move on. Do not sue or threaten to sue them. And lastly, if you do not understand technology, do not pretend you know technology. It is that simple.