Friday, February 5, 2021

Incompetent CTO Refuses To Fix Company's Security Flaw, Revenge Ensues


Literally, it's hard to comprehend the fact that this CTO possessed the puzzling level of ignorance that manifested in actually giving every employee at the company the same password. Like, do you want the company to get hacked, or what bro? It just seems like some kind of open invitation at that point. Really. Fortunately, for the company the CTO was eventually replaced. Hopefully the CTO learned their lesson. 

1.

Font - Font - r/ProRevenge u/ROKexpat • 12h + Join 3 6 Don't want to fix my IT issue? Well I think its time for a new CTO I just want to state that this IT issue is going blow some peoples presented was nothing short of incredible. And the fact that we never had a major security breach is astounding. It truly is. minds. The security flaw that this The flaw you may ask

2.

Font - Font - Everyone in the entire company password was the same password. Yes folks you read that right, every single password to every single employee login was the same password. It was like this before I joined the company, and for quite a few years after. Until...well enjoy the story. Now what about the username? That musta be the trick right? O yea that was a trick, the username was the employee email address. I did point out this flaw to my management and their response was "Thats not o

3.

Font - Font - The CTO said "I don't want to spend the time fixing this, use this work around" to which I pointed out the work around slows things down, makes my job harder, and this windows update has to affect more then just me. I was told to suck it up Now at the time the CEO was the son of the founder and a bit of I legit feel at this point in time he was just collecting a paycheck and letting everything run on auto and didn't pay attention. But I was mad at the CTO for brushing me off so I p

4.

Font - Font - I decided to demonstrate the flaw. I picked two random sales people (I didn't know them) I got their username and I logged into their systems. and I pulled two random customers personal information. The kind of information that would have easily allowed me to commit identify fraud, pull out credit in their names, etc all kinds of bad stuff. I emailed the CEO and I explained "anyone who knows the URL to log into our system, can log into anyone account, pull up customers information,

5.

Font - Font - 25 minutes later my phone rings, it the CEO he was nice, very interested in how I did this (this guy isn't the sharpest knife in the drawer) and I pointed out the flaw in plain English, and the liability that it presents to him. I walked him through the process of "hacking" my own account as he called it. I'd hate to call it "hacking" cause it was so easy. Now it dawned on this CEO that this liability was huge, I pointed out again in our conversation a single upset employee could d

6.

Font - Font - So a day later we have the conference call, its the CEO, the CTO, COO, CFO, the company lawyer, the senior VP etc and on the call I demonstrate the flaw and I lay out how I as a lay person with very little IT background is able to figure this out, its incredible that we have this flaw. Everyone is in agreement that is a HUGE ISSUE. Expect the CTO The CTO gets very, upset at me he wants me fired for "hacking" the system he says that per our employee handbook what I did is firable of

7.

Font - Font - The CTO pointed out that former employees usernames are disabled to whcih I pointed out Every employee username is their email address, it would be trivial for a former disgruntled employee to use a different employee email address that they remember to log in, and since everyone password is the same they don't even have to guess. The CTO points out that we would know who did it cause of the IP address, I pointed out that VPNS are indeed a thing. The Corporate attorney actually was

8.

Font - Font - After the meeting the CTO called me, privately HE WAS I just exposed his incompetence because the system was his design, the decision for everyone to have the same password was his decision. And I know why he did it, he did it cause he was said to the CTO lazy. And I "Your a CTO, you shouldn't be in the position you are, and your lazy, you should have found a better solution for my helpticket" He stops and asks "So this is about your stupid helpticket?" I go "Yes, yes it is" he lau

9.

Font - Font - Well sure enough later that day we got an email stating that everyone was to change their passwords to something unique. A week later the CEO announced, the old CTO stepped down to spend more time with his family. On the first day of the new CTO tenure he sent me an email telling me he wanted to personally work on my help ticket and find a solution around the windows update. Which I'm pleased to say he did. And I later had conversations with our attorney at a meeting, we legit neve

Submitted by:

No comments:

Post a Comment