Secure?





  • That's a good one all right!

    They could improve their security quite a bit by putting the password on the login page, not the front page.



  • No.

    I particularly like how, if you've got JavaScript disabled or are using software that doesn't support it (like, say, most software coded to spider the web for e-mail addresses at a guess) you can view the page without even having to enter the password.



  • You can press cancel on the javascript and it shows you the webpage. 
    Plus the password dialog tells you the password.

    And if you really look at the javascript, there two other passwords that can be used - if you can guess the values of the uninitialized variables pass2 and pass3.



  • It's even worse than that - you can enter no password, or an incorrect password, and still get in.  And a quick look at the password-checking code tells us why:

    var password;

    var pass1="rncca";

    password=prompt('Please enter the password rncca below!',' ');

    if (password==pass1 || password==pass2 || password==pass3)
      alert('Password Correct! Click OK to enter!');

      else
       {
        window.location="http://www.wocommsdinner.com";
        }


    Unless I'm badly misremembering what little JS I've ever had occasion to learn, this silently bails out as soon as it attempts to do anything with the undeclared variable 'pass2'.



  • Password entry doesn't seem to do anything, other than giving you a nice "Password correct!" message.  Incorrect pwds let you in just the same. Can't even fathom the reason for the password in the first place.  I do hope all these people know their email addresses are there for the world to see.



  • I guess this is just against web aspirators used by spammers.



  • @emurphy said:

    Unless I'm badly misremembering what little JS I've ever had occasion to learn, this silently bails out as soon as it attempts to do anything with the undeclared variable 'pass2'.


    Firefox web developer java console gives a "pass2 is not defined". So that password prompt is slightly more than useless.

    I also particularly like how all the names/emails have been added by hand. If you look at the source, you'll notice that each one is indented/arranged differently.

    Note in passing: Every time I click/type a letter or do anything else in this editor, a error pops up in the JavaScript Console. I'm not really surprised.



  • @SpComb said:

    @emurphy said:
    Unless I'm badly misremembering what little JS I've ever had occasion to learn, this silently bails out as soon as it attempts to do anything with the undeclared variable 'pass2'.

    Note in passing: Every time I click/type a letter or do anything else in this editor, a error pops up in the JavaScript Console. I'm not really surprised.

    That's pretty much unavoidable with something like a JS-based rich text editor thanks to the differences between IE and, well, just about everything else. Any call that examines the event return for IE-versus-Moz properties will error out on the IE check. If it's written properly, the code will catch the error (if found) and execute an alternate fork. That happens here -- but the Mozilla JS console still reports the error. Want to watch high-speed scrolling in the JS console? Try Gmail. (BTW, it still makes sense to check the IE versions first, since it's still the most likely browser.)



  • @trollable said:

    I guess this is just against web aspirators used by spammers.

    If it is, it's still a miserable failure; use some tool that doesn't understand JavaScript and you can get the page without entering the password at all. (Try it with wget and see...)



  • @trollable said:

    I guess this is just against web aspirators used by spammers.

    If it is, it's still a miserable failure; use some tool that doesn't understand JavaScript and you can get the page without entering the password at all. (Try it with wget and see...)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.