[BinaryIdiot]

I used to work at a life insurance company that had a sessions page for the developers that wasn't locked down at all. If you could get someone's id you could go directly to this page and set your user id to that. Done.

They also had a contest for their agents and the database they used to store all of the entries and information was an access database that happened to be sitting in the public directory for the website to simply serve to anyone who knew to request the database.

Seeing so much "security" makes me realize that a large majority of sites out there are a complete shit show, especially if the companies I worked for / with couldn't get it right and they actually had some money to their name.

[cookiecaper]

Yes, most medium-or-smaller sized companies, including ones in fields that should take security seriously like insurance and lending, will have tons of stuff like this. It shouldn't surprise anyone at this point.

[BinaryIdiot]

Even large companies depending on how you want to classify one as "large". Back when Palm announced their new phone, the Palm Pre, I was given early developer access on their developer portal. I reported to them multiple security vulnerabilities including one that allowed anyone to change a simple integer in the URL and instantly see everyone's SSN / TIN, payment information, etc. It took them 3 months to fully resolve, too (their first fix was simply changing a GET call to a POST, sigh). They never even disclosed it to anyone despite my pleas (I should have but was still sorta green back then and didn't think it through).