14 April 2002
One of our clients asked me to configure a web application on a server hosted by a third party. In the course of the work I discovered that the hosting company had no security to prevent one client from modifying or deleting the data of another client. Naturally I informed both our client and the hosting company of this, along with recommendations on how to fix it. You'd expect that the hosting company would increase their security, right? Nope, they found a much cleaner way to deal with the hole: they simply terminated our client's account!
This little adventure has prompted me to publish some thoughts about the inter-account security (or lack thereof) in many virtual hosting facilities. Read More...