Slashdot Mirror


Oklahoma Leaks 10,000 Social Security Numbers

DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."

5 of 245 comments (clear)

  1. Oblig. by Ethanol-fueled · · Score: 5, Funny

    (1)Hack the registry

    (2)Put your own name in the registry

    (3)Sue the state

    (4)Profit!!!


    (5) (remember to have your name removed from the registry!)

    1. Re:Oblig. by cptgrudge · · Score: 5, Funny

      (5) (remember to have your name removed from the registry!)

      This is government you're dealing with. It will never happen.

      "But, but, I sued the state and won! Look, here's my legal documents! I'm not a sexual predator, honest!"

      "Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a hermit you sick pervert."

      --
      Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
  2. Re:Get your lawyer ready.... by calebt3 · · Score: 4, Funny

    Get your lawyer ready. He was probably notified along with all the other offenders.
  3. Re:*facepalm* by samkass · · Score: 4, Funny

    ObXKCDComic

    It's scary how lazy some of the web developers are. For years Yahoo used a system where their login system had the URL to go to once login succeeded urlencoded in the URL. It would have been exceedingly easy to duplicate the login page with a "Username/Password was typed incorrectly. Please try again." Then send people to the authentication page with your page as the follow-on one.

    URLs should only be able to contain sanitized field values to search on that the server composes into actual SQL, URLs, etc.

    --
    E pluribus unum
  4. Re:Added to list by Anonymous Coward · · Score: 4, Funny

    So I said to my girlfriend, "I am not a pedophile! But that is a pretty big word for a 10 year old."