Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I remember applying for a visa on a country's government website and their Javascript was broken. I "hacked" the HTML just to finish the application. I think it was a Firefox compatibility issue.


At one point, I managing some servers for a project at a large company. There was an internal web app via which one could modify and change the update / patch schedule for servers.

Only it was behaving like I wasn't authorized to use it (despite being the registered owner of the servers), and I couldn't find any documentation on what groups it wanted me in.

Take a quick glance at the js, and it's doing AD lookups from my client, via an unofficial AD-REST endpoint everyone used, and then using the result.

So easy enough to just return what it's looking for and change my server's schedules as desired.

But hmm... I wonder if it works for the admin-looking group? Yup. Of course it does.

Ping it over to a friend who works in appsec, they poke it for awhile, and figure out (a) with admin permissions this tool can change the patch schedule of everything (e.g. AD domain controllers) & (b) the same pattern of client-checks was used on a lot of other tools that team built.

So I threw some poor team's roadmap into disarray, but a little curiosity on my part helped improve our security posture.


Hopefully not to live in Missouri.


The problem isn’t the “hack”. They’re too dumb to notice. The problem is thinking they’re smart enough to be worth telling.


I think you were downvoted because somebody didn't catch your reference.


I think you're right. I got a good chuckle out of it :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: