| |
Posted on: 2007-12-05 12:14:32
Previous: DemoCampToronto16 Next: IE is pants, pure and simple
Many places are reporting the recent discovery that Passport Canada's online passport application system lets you see other people's applications by simply changing a value in your URL.
Since I already have a passport, I haven't looked at the actual site. However, I did see a bit of the news report where a small identifier in the URL was changed and produced a different passport application.
My guess is that they decided to write their own 'secure' session handling and they probably had weird policies in place that they couldn't keep cookies on the client browser or couldn't use certain frameworks or whatever. Unfortunately, instead of using a long semirandom identifier like almost every web framework out there, they used a small sequential identifier instead.
My other guess is that or they put the identifying key of the particular application into the URL - which is something I've done occasionally as well (like in this blog!), except that step #2 in doing this is to add extra security to make sure people aren't just guessing numbers - and if you're working with sensitive data, use at least a basic two-way encryption process so that the keys can't be easily guessed by anyone.
Some large consulting firm probably got paid a lot of money to build this 'enterprise' system. I thought I'd see if it's mentioned anywhere, like how Accenture announced their award-winning software for the Ontario Government. Conveniently, Passport Canada has to report its contracts:
http://www.ppt.gc.ca/publications/contractsinfo.aspx?lang=e&yr=2006-2007-2.
There's no interface for changing the dates listed, but you can just change the values in the URL itself to get different reports. Put in the two-year span after 'yr' and the final part is I think the quarter for the report. I guess typing into URLs is their new interactivity standard!
Previous: DemoCampToronto16 Next: IE is pants, pure and simple
|
Other Blog Posts:
- Berlin: Museums - Berlin: Ghosts of the Past, Visions of the Future - Flâneur in Berlin - Berlin: Finding the Best Wurst - Istanbul: Overwhelmed by History in the Hippodrome - Istanbul: That dolphin-torn, that gong-tormented sea - Istanbul: The Topkapi Palace and Harem - Istanbul: Mosques - Istanbul's Basilica Cistern: Gorgeous, Creepy, Nerdy - Istanbul: Hagia Sophia - The Streets of Istanbul - II - The Streets of Istanbul - I - Munich Airport: Legoland mit Bier und NapCab - Heathrow Airport: You Are In A Maze Of Twisty Little Passages, All Different - Getting Ready to Travel - Quick Advice on Canadian Indie Music - My Favourite Roadside Sign - Well That Explains a Lot... - Poland: Gear from the Army Museum - Poland: Warsaw's Palace of Culture and the University Library - Poland: Warsaw - Poland: Winged Hussars - Poland - What's awesome about Toronto - Possibly the best sentence in the English language - QUOTE: We Shouldn't Have Music Anxiety - Now *that's* Santa Cruz - Small Town Newspaper Headline Dada - Great Quote from Seth Godin - McSweeney's: My Pet Peeves - Shindig! - Dresden Dolls / Die Mannequin / Friendly Rich at the Phoenix - In Store for 2008: Wailing and Gnashing of Teeth?! - Coffee Updates: Urbana and Far Coast - Canadian: Walking to Tim Horton's Through a Blizzard - Lighting as language - TSOT Ruby/Rails Project Night - IE is pants, pure and simple - Passport Canada's Secure Enterprise Software - DemoCampToronto16 - Faulty By Design - Buynlarge.com - brilliant! - Joey Starts at TSOT and Jeff goes 37Signals - How To Doom Your Own Industry - It's Sigmoidal, Stupid! - Quick Update on Secured OS X Mail - Alpha Geeks and Jedi Hooligans - Now Fake Steve is Getting Close To Home - Nice Rant on the Sanctity of Farming - They Must Have Been Reading This Blog - Well, so much for Reddit - Zipcar: My Other Car is a Mini Convertible Named Munster - XKCD Job Interview - John C. Dvorak Misses It - Protecting Your OS X Mail With Encrypted Volumes - Fake Steve Jobs hits it - My Favorite Bit From Herodotus - Enterprise Software - like on the spaceship, right? - So why, again, are you taking so long? - That sounds about right for Oberlin - Music, With Occasional City - How to do Google Maps-Style Scrolling Windows with JavaScript and DHTML - The Young Gods Play Kurt Weill - Want a Rails Job? - Quote of the Day - Witty and Vibrant, Sensitive and Cranky - Facebook, already - geez - The Bolivarian Republic of Wednesday and Pudge - Here are the real links for the previous post - Venezuela: How To Have A Good Party - It's a PHONE that runs UNIX! - Congratulations Pat & Chris! - About Venezuela: Traffic - Venezuela Stuff Coming Later - But While I'm Recovering... - My most popular posts are un-published! - ... that creepy ass botox-phenomenon - Prototype Library and JavaScript - Godin LG Hmb - my new guitar - Safari For Windows - What Apple Missed - Joel Corrects Himself In Mid-Post - Yorkville's Summer of Love with Gucci - Update: Coffee - RJS / AJAX Highlight Colouring in Rails - Looking Real Good! - Post-something Post on Big Bags - Disclaimer - Analgesic Code: Backtrack - Baby Steps With EMACS - Back in Santa Cruz - You know, I agree that we should worry about Global Warming... - Life Tip: Digitize Your Documents - Nifty OS X Finder Enhancement With Little AppleScripts - Toronto DemoCamp 12 - Wednesday and Pudge - Rails Pub Nite - HAML Cake! - BAAX! - With a Good Search You Can Be Organized - Something people seem to have missed in the Steve Jobs Keynote today... - Analgesic Code: Rails Test Progress - New Year's Greeting 2006
All Blog Entries
 RSS Feed
|
