back to article Deloitte's 'Test your Hacker IQ' site fails itself after exposing database user name, password in config file

A website created for global consultancy Deloitte to quiz people on knowledge of hacking tactics has proven itself vulnerable to hacking. The site, found at the insecure non-HTTPS URL, makes its YAML configuration file publicly accessible. And within the file, in cleartext, is the username and …

  1. Anonymous Coward
    Anonymous Coward


    Deloitte is awful, in my opinion.

    1. Anonymous Coward
      Anonymous Coward

      Re: Perfect

      But execs love them..

    2. Mage

      Re: Deloitte is awful

      but bigly good compared to Crapita.

      Actually many big name Auditors accountants have been found to be less than brilliant. PWC? HP buy of something?

      1. SecOps

        Re: Deloitte is awful

        Truth is consulting firms are only as good as the staff assigned to your effort. Could be brilliant, could be piss poor. With the larger firms there are tons of bodies, and odds are few of the people involved in the proposal will do actual work.

        Dice roll.

        1. Anonymous Coward
          Anonymous Coward

          Re: Deloitte is awful

          I would add that where there are competent staff they quickly attract the incompetents from other projects eager to escape their failures.

          I have worked at places (crapita forexample ) where 3 competent were carrying 50+ deadweights who not only insisted upon adding their unnecessary costs to projects but also created at least 80% of the issues the 3 useful people had to deal with outside the projects.

        2. RM Myers

          "...odds are few of the people involved in the proposal will do actual work."

          Agreed, except I would replace "few" with "none", based on my experience. Obviously, YMMV.

    3. This post has been deleted by its author

      1. Doctor Syntax Silver badge

        Re: Perfect

        "Never understood their worth or attractiveness to corporate managers, other than they see them in their own image."

        That's all that's required.

  2. Blofeld's Cat

    Hmm ...

    I love the smell of hubris in the morning ...

  3. xyz


    I was going to post a comment but just don't have the words. I mean REALLY!

    1. Anonymous Coward
      Anonymous Coward

      Re: Ffs

      /hands over dictionary and thesaurus.

      What? No, on a USB stick, of course. Duh.


    2. DJV Silver badge

      Re: Ffs

      "I was going to post a comment but just don't have the words. I mean REALLY!"

      I'm glad you were totally able to restrain yourself from posting your comment.

  4. fajensen

    There is a good side to this: Now we know who will be given a contract for the customs IT-system needed for Brexit!

  5. trevorde Silver badge

    Insanely high IQ

    “Nobody gets hacked. To get hacked, you need somebody with 197 IQ and he needs about 15% of your password”

    1. MiguelC Silver badge

      Re: Insanely high IQ

      But do you know how high your IQ needs to be if they give you 100% of the password? About Baldrick high? And is that still above the developers IQ?

    2. arachnoid2

      Re: Insanely high IQ

      How do we know if someone with a high IQ hasn't hacked the relevant site and inflated their IQ?

    3. fajensen

      Re: Insanely high IQ

      Given any population and crucially, no matter how one selects the population, it has been found that 20% of that population are morons!

      Thus, out of the "population of people with 197 IQ", *One in Five* will be a moron (corresponding well to my too long and rich experience working with "academia" and "management").

  6. chivo243 Silver badge

    Do as we say...

    yes, the age old saying - not as we do!

  7. You aint sin me, roit

    Tempting fate...

    1337 hax0rz won't waste their time answering multiple choice questions when they can hack the site... just for the lulz.

  8. Blackjack Silver badge

    insecure non-HTTPS URL

    Honesty the guy who coded the site should get fired, just by the "insecure non-HTTPS URL" alone.

    Unless it was actually a hidden test and they are offering a job to the person who first figured iy5 out.

    1. I am the liquor

      Re: insecure non-HTTPS URL

      That was my first thought - mistake, or actually part of the test? If you managed to download the config file, did you get a mysterious invitation to lunch in Cheltenham the next day?

      But on the other hand, Hanlon's razor.

  9. Pascal Monett Silver badge

    So, made in 2015, last changed in 2017

    Sounds like a management idea that management lost interest in but forgot to shutter the site.

    The irony is delicious.

  10. Anonymous Coward
    Anonymous Coward

    Everyone knows that book ciphers are crap....

    So deciphering this should be a piece of cake for ace Deloitte types:



















    Hacking? Not a problem!

    1. arachnoid2

      Re: Everyone knows that book ciphers are crap....

      42,,,,,,seems logical

  11. Dante Alighieri



    It woz the uver bloke...

    A big boy dun' it an' ran awaaaayyy

    Its reaaaaaally old and not one of owazhs

  12. CPU

    And yet 'Management' will throw truck loads of money at these people rather than listen to the in-house advice. Show me a Consultancy that doesn't employ people with zero experience (but with a degree) and then trot along and tell you that they are worth £750 a day as "Junior Consultants", oh, and could you show them what to do as the Principle Consultant is busy on another job. There was a time when Consultants actually knew their stuff.

  13. Glen Turner 666

    Tweet removed

    Twitter removed the tweet from Tillie Kottmann which uncovered this issue. Presumably because the tweet breached Twitter's controversial "Distribution of hacked materials policy".

  14. ThinkingMonkey


    I worked at a company where, quite unexpectedly and completely unannounced, the owner decided to contract an "ergonomics" consultancy firm to observe, then provide advice, for improving our physical movements to conduct our jobs more efficiently. WTF? We couldn't have been more shocked if he had introduced a voodoo priestess.

    So these numb-skulls who had no clue whatsoever about WHAT our jobs were much less whether we were physically moving about in the most efficient manner, milled around aimlessly for about a week, baffled the owner with bullshit, and claimed what I confidently assume was a princely sum for their expertise.

    Whatever advice it was that they provided him with, it never made it back to us and everyone just proceeded as before. I have to admit it did make me wonder if I indeed was moving about as efficiently as possible though. At lunch, for example, I held my sandwich on both sides, with both hands IOW, while about to take a bite. Is that the most efficient use of handage? Or would one hand have sufficed? But note that I said "wondered", not "lost sleep over" :)

  15. mr-slappy


    I'm hugely disappointed that they didn't start their message with "the security of our clients is our top priority." Someone in Deloitte PR really took their eye off the ball there...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like