[jerf]

Well... I agree with you in principle, but in practice I find developers often to forget that code fails the way it is supposed to fail, when it is supposed to fail. In the authentication case, everyone remembers to check that when you're supposed to be logged in, you can access what you should be able to access. But it's really common to not think to test that when you're not logged in you shouldn't be able to access what you should be able to access (when logged in), or that when logged in as user X you shouldn't be able to access user Y's stuff.

[mirimir]

I hope that's more unlikely than you say.

[hcs]

The article in question mentions they reported essentially the same bug in IBM solidDB [1], and I recall that the first big break in Nintendo Wii application signing [2] was similar.

[1] http://www.zerodayinitiative.com/advisories/ZDI-11-115/

[2] http://wiibrew.org/wiki/Signing_bug