If you are wondering about the answer to this question regarding Web Application Security, you must read the following article in the Register and then get some further gory details and examples from the Daily WTF. In this story, the personal details of Oklahoma crime offenders were made public for at least three years. And I mean all the personal details: names, addresses, dates of birth, social security numbers, even medical records - the full monty.
The Oklahoma Department of Corrections website was vulnerable to SQL Injection not by mistake but by design. Exposing information not only belonging to sex offenders (exposing the exposed), but also of other offenders. And as the SQL vulnerability had appeared through the state's Sexual and Violent Offender Registry, it actually allowed anonymous Web users to report their neighbor that moved the fence by 2 inches as a violent sex offender...
Leave a comment