Last week end, I went to Tokyo for recruit activity.
After finishing everything, I met with my friend's couple. We enjoyed the time. And we went to showroom for a thing (I should not say more ^^;;;), because we had small time. Then the organization provides a terminal which introduce about their activities. I found security hall in the system, which comes from weak communication when they design the system. The system is following.
The system has only one input device, which is mouse. The system provides full screen web browser. The web browser is limited version for function. The system has no keyboard. So, users can use only the limited web browser. And the organization uses twitter. The twitter account publishes about their activity with no link or link to inside of there contents. This meaning is that users can not exit from their contents. (usually....) If the system provides only above, then this system is completely perfect. However, the twitter's account profile links to another web site in their organization. And the page links to their facebook account. This is problem. Usually, if user publish something onto facebook and some other user push like button, then all users can go his/her personal timeline on facebook from a list what provide a users who push like button. Even if the organization did not publish any links to other site, however the system user can go out to 3rd parties' page. If the time line has malicious link then the site will have problems.
This problem comes from communication miss. (I think.) There is 4 pages. Homepage on the system, twitter, other official page, and facebook. The system designer considered about only homepage showing. Accidentally, the homepage designer needed to link to their twitter account. And, the twitter account manager was different team from the system manager team. And (maybe) the twitter manager did not know the twitter is linked from such limited system. Then the team linked other official page. Sure, the page manager clearly don't know first homepage. The team linked both of twitter and facebook account for promoting. If at least one engineer or manager knew every services then the error was not occurred.....
When I saw the site, I really felt scared. The system itself, the organization considered about security. However, the contents management can easy break the security policy, if they don't have security concern.......
(maybe) I will write mail to them about this problem.......If I have time and stamina ^^;;;;;
After finishing everything, I met with my friend's couple. We enjoyed the time. And we went to showroom for a thing (I should not say more ^^;;;), because we had small time. Then the organization provides a terminal which introduce about their activities. I found security hall in the system, which comes from weak communication when they design the system. The system is following.
The system has only one input device, which is mouse. The system provides full screen web browser. The web browser is limited version for function. The system has no keyboard. So, users can use only the limited web browser. And the organization uses twitter. The twitter account publishes about their activity with no link or link to inside of there contents. This meaning is that users can not exit from their contents. (usually....) If the system provides only above, then this system is completely perfect. However, the twitter's account profile links to another web site in their organization. And the page links to their facebook account. This is problem. Usually, if user publish something onto facebook and some other user push like button, then all users can go his/her personal timeline on facebook from a list what provide a users who push like button. Even if the organization did not publish any links to other site, however the system user can go out to 3rd parties' page. If the time line has malicious link then the site will have problems.
This problem comes from communication miss. (I think.) There is 4 pages. Homepage on the system, twitter, other official page, and facebook. The system designer considered about only homepage showing. Accidentally, the homepage designer needed to link to their twitter account. And, the twitter account manager was different team from the system manager team. And (maybe) the twitter manager did not know the twitter is linked from such limited system. Then the team linked other official page. Sure, the page manager clearly don't know first homepage. The team linked both of twitter and facebook account for promoting. If at least one engineer or manager knew every services then the error was not occurred.....
When I saw the site, I really felt scared. The system itself, the organization considered about security. However, the contents management can easy break the security policy, if they don't have security concern.......
(maybe) I will write mail to them about this problem.......If I have time and stamina ^^;;;;;
Comments