Tabor sent me a link to a blog entry illustrating quite a few very worrying SQL injection vulnerabilities in T-Mobile’s website and discussing the possibility that cracker Nicolas Jacobsen used a similar vulnerability to gain access to customer information.
There’s no excuse for failing to do input validation. I could understand if this were a bug, but it’s clear that whoever developed T-Mobile’s website didn’t pay nearly as much attention to input validation as they should have.
This is one of the reasons I spend so much of my free time writing my own blog engines, image galleries, log analyzers, and email clients even though there are plenty of freely available solutions I could just download and use. The more unsecure code I see, the less I trust other people to write the software I use.
It’s absolutely mind-boggling how much software there is—especially open-source software, which is generally perceived to be more secure than closed-source software—written by people who pay no attention to even the most obvious potential security issues.