[vidarh]

One of the first places I worked they had that.

For private data.

Guess their user id and you could get someones whole contact list, access their voicemail, or start a 30 person conference call which could dial out internationally with calls billed to the affected user...

The entire top management had user ids below 100...

I found the problem because on login all it set was a cookie with the userid, and so of course I tried changing it.

When I alerted my manager to the problem they put in place 'encryption' of said cookie.

It was base64 encoding.

They were shocked when I broke that too.

Writing this now it sounds invented, but it's not. To be fair this was more than 20 years ago, and a lot of developers did not yet have any understanding of security, so they at least had a shred of an excuse.

I left that company first chance I got.

[Cheezmeister]

> 'encryption' of said cookie...It was base64 encoding.

Made me chuckle.

[vidarh]

I never figured out what thought process led to them considering base64 a security feature. I mean, I could tell just by looking at the cookie it was base64, but I expected that meant they'd encrypted it and then base64 encoded the result. But no. It made me treat every bit of code I was handed with extreme caution.