Before I start this post, I should clarify that I’m not a very technical person, I don’t know much about computers beyond basic functions such as web browsing and word processing. I have a vague idea that programmes are written in code, but beyond that I know no more. I know that you can look many things up on Google and that wikipedia is a great resource.
Given this complete lack of IT knowledge, it’s a little concerning that I may have found another security flaw on Baby’s Days; to clarify this flaw is on the Demo site and on current customers sites. You can see if for yourself, it’s not straightforward but I’m happy to talk anyone through it if they would like to see it for themselves.
The flaw is an issue that most IT people would label, “unsecured data at rest”; this means that when the data has been sent to the server securely, it is then stored in an unsecure manner. The data in question is parent comments. The parent types the comment in on the photo (I’ve only tested this on diary photo comments), the comments are then sent to the server via encrypted transfer and then they are stored on the server logs in plain text – which sort of makes the encrypted transfer rather redundant in my opinion!
This means that anyone at the server end (ie. Data Centre employees and thirds party contractors and Baby’s Days employees) can read all the comments parents place on diary photographs. Without getting too complicated, the programme absolutely does not need to be written in this way and Baby’s Days could easily make the storage of parent comments more secure.
Here is a screen shot to give you an idea, the screen shot is from a demo, but this will also happen on your own system. As you can see I have underlined the parents comments and you can see they are stored in the URL log, which is then sent and stored on the server. Click on the photo to make it bigger.
Given that Baby’s Days stated I was lying about the last security issue regarding photographs, then I expect this issue will also be swept under the carpet in the same way. Like the last issue, I emailed Baby’s Days to inform them of the flaw 48 hours before I published my blog.
Ok, so some of you reading this might be thinking, “so what, does it really matter that people can read my parents comments?”
The answer to this will vary from person to person and ultimately I’m only writing about this due to Baby’s Days 100% secure claims, this is another post that suggests it’s not 100% secure. The way this part of the system has been written appears at best bad practice and and worst unsafe. Is this the result of using possibly incompetent freelancers? I would have hoped that freelance developers would be competent at developing secure systems – or at least following some basic best practices which doesn’t seem to be the case here at all.
But at any rate, in my opinion that’s not really the question you should be asking. I think the more important question here is; “If a childminder with no knowledge of computer programming can find 2 security issues with the system, how many could someone with more experience find?”