Monday, 31 December 2012

EE-K! DM’ing your password is NEVER a good idea

Monday, 31 December 2012

It happened again – someone tweeted me about a negative security experience and I just had to take a look:

“@EE: @elliotyork Please follow us & DM your mobile number, postcode & password. Thanks” wow get @troyhunt on the case this is crazy

C’mon, really? This can’t be for real. But a little more investigating and here we are:

@elliotyork Please follow us & DM your mobile number, postcode & password. Thanks

This is bad (for reasons I’ll discuss shortly), but it’s far from isolated:

@_JaySheppard Hi Can I help? If so please Dm your number, postcode, date of birth and password and we will check your bill. Thanks

EE is over in the UK and they’re “the new network for your digital life” who brings you “4G and Fibre Broadband”. A quick look at All My Tweets and it seems that requesting passwords through Twitter is a standard operating procedure. So what’s wrong with all this? Let’s count the ways.

Read more

Monday, 17 December 2012

Stored procedures and ORMs won’t save you from SQL injection

Monday, 17 December 2012

Everybody knows the easiest way to save yourself from SQL injection is to use object relational mappers (ORMs such as Entity Framework) or stored procedures, right? Often I see this becoming a mantra: “You don’t need to worry about SQLi if you’re using [Entity Framework | stored procedures]”. I also see the mantra blindly repeated and it’s wrong, very wrong.

Of course this isn’t new to many people but it’s worth a recap of just how easy SQLi in poorly implemented code using ORMs or stored procedures. So let’s exercise some SQLi on an app that uses not one, but both of these!

Read more

Tuesday, 11 December 2012

Responsiveness, China and the “m” word: new blog meta post

Tuesday, 11 December 2012

Three and a bit years on and it’s time for a change. Blogging has been good to me – very good – but I was starting to feel a bit like the plumber whose own house was full of leaky pipes.

Heavy markup burdened by Blogger’s propensity for in-page CSS, completely mobile unaware and as I’ve written before, not real friendly for those half a billion Chinese internet users. Plus of course, several years of design weariness which eventually leaves you feeling like you’re getting around in clothes from the 80s.

There are a whole bunch of things that change in the seemingly short timeframe that is three years, things worth sharing. So here it is – the meta post – the blog about the blog but far from being self-indulgent, I think there’s actually some useful stuff in here.

Read more