Have I found another flaw?

Before I start this post, I should clarify that I’m not a very technical person, I don’t know much about computers beyond basic functions such as web browsing and word processing.  I have a vague idea that programmes are written in code, but beyond that I know no more.  I know that you can look many things up on Google and that wikipedia is a great resource.

Given this complete lack of IT knowledge, it’s a little concerning that I may have found another security flaw on Baby’s Days; to clarify this flaw is on the Demo site and on current customers sites.  You can see if for yourself, it’s not straightforward but I’m happy to talk anyone through it if they would like to see it for themselves.

The flaw is an issue that most IT people would label, “unsecured data at rest”; this means that when the data has been sent to the server securely, it is then stored in an unsecure manner.  The data in question is parent comments.  The parent types the comment in on the photo (I’ve only tested this on diary photo comments), the comments are then sent to the server via encrypted transfer and then they are stored on the server logs in plain text – which sort of makes the encrypted transfer rather redundant in my opinion!

This means that anyone at the server end (ie. Data Centre employees and thirds party contractors and Baby’s Days employees) can read all the comments parents place on diary photographs.  Without getting too complicated, the programme absolutely does not need to be written in this way and Baby’s Days could easily make the storage of parent comments more secure.

Here is a screen shot to give you an idea, the screen shot is from a demo, but this will also happen on your own system.  As you can see I have underlined the parents comments and you can see they are stored in the URL log, which is then sent and stored on the server.  Click on the photo to make it bigger.

Given that Baby’s Days stated I was lying about the last security issue regarding photographs, then I expect this issue will also be swept under the carpet in the same way.  Like the last issue, I emailed Baby’s Days to inform them of the flaw 48 hours before I published my blog.

Ok, so some of you reading this might be thinking, “so what, does it really matter that people can read my parents comments?”

The answer to this will vary from person to person and ultimately I’m only writing about this due to Baby’s Days 100% secure claims, this is another post that suggests it’s not 100% secure.  The way this part of the system has been written appears at best bad practice and and worst unsafe.  Is this the result of using possibly incompetent freelancers?  I would have hoped that freelance developers would be competent at developing secure systems – or at least following some basic best practices which doesn’t seem to be the case here at all.

But at any rate, in my opinion that’s not really the question you should be asking. I think the more important question here is; “If a childminder with no knowledge of computer programming can find 2 security issues with the system, how many could someone with more experience find?”

 

14 thoughts on “Have I found another flaw?”

  1. Doesn’t seem like a professionally built web application!

    I’d suggest that this company offer Hayley a job… as she seems to have more clue about how web applications should be built than they do!
    Alternatively, I’d suggest some reading for the developers at the company – hmmm, what about this book

  2. Just playing devils advocate for a second, I find it hard to believe that they can ‘take control’ of your computer without some 3rd party software through which you grant them access. They might be able to access your BD’s system at the server end (which is bad enough seeing as they claim that they don’t have user names or passwords – so how can they just magically get in to it?) but until somebody says that they personally have experienced BD’s taking over their screen in front of their very eyes with no specific authorisation for access then I would be very wary of believing this. IP addresses are not difficult to get hold of, they record them so they can monitor for suspicious activity (unrecognised IP’s attempting access for example). There is no software to download, it’s all done through the web browser so if it was that easy to just take control of a personal computer then anyone could do it at any time, which they don’t. I’m not saying that BD’s haven’t done this, just that nobody who has commented so far has actually experienced this first hand have they? I too would be interested to hear from anyone that has.

  3. What I don’t understand is why Baby’s Days would need remote access to your computer anyway? Their software is hosted on their servers so any problems with it would be fixed there. The only reason I can think of that would prevent you from being able to access Baby’s Days via your computer is if you block javascript or cookies in your browser.

  4. I have followed your blog with caution as i am a bd customer but the more i read the more worried i get. Do you think they could access our personal computers even once we have stopped using the system?
    I know nothing about I.t but I know a few that do and i will be asking them to independently investigate for sure.

    1. Like I say not a sheep,I just don’t know because I don’t know much about IT sadly :( But maybe someone else can clarify? I might blog about this tonight and some readers might have answers?

  5. What on earth is going on. I have had some experience of remote fixing as my dad is a computer wiz and often helps me it’s an excellent tool, but I had to download a specific program and have to give him permission every time we need to use it, and even then I watch everything he does and he’s my DAD. :-0 if what last poster has said is true then they can access your WHOLE COMPUTER whenever they want and do whatever they want. If this is true they should be telling you if this fact when you download their software at the very least, and in my opinion it should be locked with an access password user end so that permission can be granted when help us needed. Seriously this is unbelievable never mind what Hayley has just wrote about regarding parent posts which should also be stored securely :-0 :-0 :-0 glad I never went there.

  6. OMG Anon too. This needs to be shouted from the roof tops :-(

    Does this mean they can access your PC even if you’re not on it , using it or browsing Babysdays ?

    1. I don’t know sorry, I don’t use it, but I do have friends who have had their accounts remotely accessed and haven’t had to give any IP address or click on anything to allow them to remotely access it, they were ‘just there’ and took control.

  7. I don’t understand why they shout about being 100% secure, is any online database? Even the pentagon got hacked lol. Yet another example of at best exaggerations at worst lies to their customer base.

  8. Hi Hayley.

    Two commonly used methods for a request-response between a client and server are GET and POST. Query strings are sent via the URL in a GET request. If your photo comments are being sent via a GET request then: they can be cached, remain in the browser history, can be bookmarked. GET requests should never be used when dealing with sensitive data. They should only be used to retrieve data.

    Normally, form data is sent via a POST request. Query strings are sent in the HTTP message body of a POST request. Your photo comments should be submitted using a POST request then: they are never cached, do not remain in the browser history, cannot be bookmarked and unlike a GET request…have no restrictions on data length.

    I would be happy for you to talk me through what you have found in a little more detail…Anon.

  9. I would be very surprised if the actual database that stores the Baby’s Days information actually encrypts any of the data entered into it (except the passwords maybe).

    This being the case then everything entered (not just parent comments) would be potentially visible to anyone at the server end!!!

    I’m afraid this is the risk you take when you give someone else the responsibility of looking after your data.

    1. You seem to be technically minded Anon, if I told you my photo comments were sent with a GET request, what would you think about that?

    2. I have been told by users of the system, that if they have encountered a problem, then bds have remotely accessed their computer in an attempt to fix it, however, bds have done this WITHOUT having to connect via IP acceptance, meaning that they already have your IP stored and can access your pc without you having to click on anything to permit them onto your private pc. , apparently once you sign up with bds, handing over your IP address is part of the package. Maybe something else to have a think about before signing your soul away.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>