Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."

Re:Wouldn't it have been easier

[schon]

Sorry, but the submitter got at wrong.

No, you did.

A secret URL is essentially a password

Wrong. There is no such thing as a 'secret' URL. This was an unpublished URL, which is not the same thing as a secret.

A secret is something that everybody involved knows not to divulge. A HTTP URL is transmitted in plaintext, URLs are stored in plaintext in your browser's history, they are sent as a referrer when you click on a link in a page or when you load an external element, they are stored in plaintext in your server's logs - they are the exact opposite of secret.