Background
I'm been contracted to help a company maintain their server. I work on some minor PHP projects but also look over performance issues and recently, scan logs for hackers.
These guys have been running their server for some time and have what I would call a legacy application on its last legs. It uses magic quotes, global variables (which allows $id
to be overwritten by $_GET['id']
), use .htaccess as their only security in some instances, you name it. A security and programming nightmare.
We have been hacked in the past, mostly with SQL injections, which would run SLEEP(99999999)
commands and act as a DOS-attack. Luckily they didn't run "little bobby tables",
XKCD: http://xkcd.com/327/
So I re-wrote their vulnerable SQL statements from mysql_query()
(not mysqli) to PDO transactions. I'm also analyzing the queries for SLEEP
and UNION
, which we don't use but the injections have. So far, so good.
Latest Issue
Recently we've been told records are changing in the DB for users, such as their e-mail addresses to ones presumably made by spammers.
I noticed their columns didn't have a last_modified
column, so we weren't able to even know when they were being changed, let alone by who. I added that column, but that's barely a first step.
When I was looking in to this table, I noticed the passwords weren't salted nor even hashed, just saved as plaintext.
Client Communication
How can I approach them about the entire situation, as a contractor, without flailing my arms like a madman? Any advice? I was thinking a calm approach of,
ISSUE #1 Synopsis Why this is an issue What can happen if this is not fixed Suggested fix ISSUE #2 Synopsis Why this is an issue What can happen if this is not fixed Suggested fix
Best Answer
The calm approach that you suggest would be best. Pointing out that when this data gets exposed, most of your users will be vulnerable to identity theft due to password reuse. This would be a pretty good time to point out that this is the same issue that affected Target (assuming that the company isn't Target). And your manager should be pretty receptive to changing this.
In regards to legalities with the data, I don't believe that username/passwords are considered the same as CC Data, Personal Information, etc. Though it could depend upon what ever information that you have for your users. I am not a lawyer and these aspects would be best brought up in your revelation and should be brought to your companies legal department to determine legalities.
https://en.wikipedia.org/wiki/Information_privacy_law
And you have this XKCD to help you out too: