interesting database problem

Posted on November 20, 2007
Filed Under Programming |

I discovered an interesting and perhaps disturbing database problem today in a database owned by a large company with very sensitive information in its archives.  Apparently, there can be two identical usernames in this database, differentiated only by their separate passwords.  Only the username and password are needed to authenticate, and there is no apparent way to keep totally unrelated users from choosing the same username.  I currently have access to my own account, and another account that I should not be able to access (simply because I typed the wrong password… imagine that).  I plan to call the CTO. 

I guess it is unlikely to have a situation like this occur often, but my case proves it is possible.  Given this oversight, I wonder what else might happen… for example, if I changed my password to match the other password for the account with identical username?  Would it crash their web applications, or perhaps their database?  Or would it choose one of the two accounts at random each time I logged in?  Or, maybe it would notify me that "this username and password combination is already in use."  That would add its own little note of irony, wouldn't it.

Comments

Leave a Reply

You must be logged in to post a comment.

  • starting your head on fire

    Delivers oxygen to your brain faster than all other methods! Proven in double blind placebo controlled studies.

  • Places to Go

  • Blogroll

    • Cato @ Liberty - Cato is a libertarian research foundation. If you wish to stay informed on public policy, you can not ignore the Cato blog. Pay them a visit.
    • Greg Lincoln
    • Modo Vernant Omnia - Tampa local with many topics of interest to my readers. As you might imagine, I could not resist blogrolling a site that has tags as diverse as: economy (with views similar), spinning (as in wool), ancient Greek stuff, and occult.
    • Nassim Nicholas Taleb - Fooled by Randomness - The Economist turned me on to Mr. Taleb, a trader turned philoisopher (as described by Forbes). His writing and his thinking are quite interesting, and certainly more worthwhile than anything you will find here.
    • Ouralexander.org - Site discussing informed consent in pediatric medicine, by a family that experienced the worst possible tragedy.
    • RiskProf - An Insurance Blog - A truly marvelous blog. I know risk & insurance are less interesting to most of you than organizing your sock drawer, but this is excellent writing. Besides, if you understand insurance you have the right to complain about it.
    • Schneier on Security - This will be your favorite security blog. Bruce Schneier exposes “security theatre” and proposes realistic problems and solutions. Stay up to date on security policy and IT risk management with CRYPTOGRAM, his email newsletter.
    • The Goodly Mr. Plotkin - My excellent friend Richard Plotkin. Read his musings and insights, or wander through the social network of MySpace users. Several of his blog-friends are people I went to school or knew other ways… I wonder if they will Google me and say ‘hi.’
    • Worlds Healthiest Foods - I love this website. It is all about the nutritional value of foods that are considered ‘healthy,’ with tons of sources cited.