back to article Boat biz breaches itself: Brittany Ferries 'fesses up to leaks caused by routine website update

It's never good when a boat operator talks of a breach, even if in this case it's a figurative one. Brittany Ferries has told some customers that an unforeseen technical glitch introduced after "routine" website maintenance had left their accounts wide open, potentially exposing very sensitive details to anyone who knew the …

  1. Mike 137 Silver badge

    Whose design failure?

    "technical glitch introduced after "routine" website maintenance had left their accounts wide open"

    Failure to segregate the presentation layer from the back end yet again. This is so basic! and yet is still happens. I seems as if web devs look on the task now as just delivering and running untrusted programmes in strangers' browsers. When I taught web development (admittedly a couple of decades back) we always did sensitive stuff server side with a solid protection layer between presentation and processing.

    1. Anonymous Coward Silver badge
      Facepalm

      Re: Whose design failure?

      What makes you think that it was a presentation layer update?

      It strikes me that the authentication SQL was updated from "where username = ? and password = ?" to "where username = ? and password = ? or 1=1" (which is unfortunately done surprisingly often for testing)

      Presentation layer was just presenting what it was given. If they have any way to access those accounts not through a web browser, that would have the same issue.

      1. yetanotheraoc Silver badge

        Re: Whose design failure?

        If I as a dev have the ability to leave "or 1=1" in the code, *and* can see that password testing was skipped over (what a coincidence!), let's hope I'm not smart enough to tip off my buddies down at the pub.

  2. YTC#1

    As someone who's passport has been scanned and copied at many borders and hotel check ins around the world, passport details are not one of my major concerns.

  3. Anonymous Coward Silver badge
    Unhappy

    Logging

    > "Whatever happened to logging requests?"

    Managers got hoodwinked into believing that google analytics was a better way of looking at traffic than using server logs.

  4. Wally Dug

    Oops!... I Did It Again

    Sorry, wrong Britney.

  5. Doctor Syntax Silver badge

    Email address as userID again. It's probably not a matter of knowing the email address for a particular account, more trawling al the email addresses harvested from previous breaches.

    1. Korev Silver badge

      One of the reasons I use my own domain for email...

  6. Anonymous Coward
    Anonymous Coward

    ICO ?

    Surely more interesting to hear what CNIL says? ( At least they will take action.)

    1. heyrick Silver badge

      Re: ICO ?

      Yeah, I just came to say that being a French company they probably reported it to CNIL and not the ICO.

  7. steamnut

    Reall?

    The Company's statement that the "account's protection settings were unintentionally changed" doesn't inspire confidence at all. What happened to harness testing? Nothing should happen "unintentionally" on customer facing websites.

    1. heyrick Silver badge

      Re: Reall?

      Next week on "Who, Me?"...

  8. ecofeco Silver badge

    It is just me?

    ...or does it seems as if the most incompetent people that can be found are running websites these days?

    Rhetorical question of course.

  9. X5-332960073452
    Thumb Up

    Refreshing Honesty

    None of the usual, we take security seriously, etc.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like