Hacker News new | past | comments | ask | show | jobs | submit login
Youtube Live Epic Failure (Plaintext DB Password Exposed)
96 points by a904guy on Sept 13, 2010 | hide | past | favorite | 23 comments
From: http://techcrunch.com/2010/09/12/youtube-live-streaming/

The widget embedded is rendering this on the page:

Traceback (most recent call last):

  File "/base/python_runtime/python_lib/versions/1/google/appengine/ext/webapp/__init__.py", line 511, in __call__
    handler.get(*groups)
  File "/base/data/home/apps/yt-live/1.344714172147360500/event.py", line 69, in get
    evs = get_rows()
  File "/base/data/home/apps/yt-live/1.344714172147360500/event.py", line 9, in get_rows
    client = gdata.spreadsheet.text_db.DatabaseClient('kieran@bynd.com', 'projectmetal')
  File "/base/data/home/apps/yt-live/1.344714172147360500/gdata/spreadsheet/text_db.py", line 106, in __init__
    self.SetCredentials(username, password)
  File "/base/data/home/apps/yt-live/1.344714172147360500/gdata/spreadsheet/text_db.py", line 127, in SetCredentials
    raise CaptchaRequired('Please visit https://www.google.com/accounts/'
CaptchaRequired: Please visit https://www.google.com/accounts/DisplayUnlockCaptcha to unlock your account.



One guy's password getting out, in the grand scheme of things, is perhaps not an "epic failure". I mean, it's a screwup all right, but perhaps some perspective is in order...


The point is more towards developers/sysadmins. Outputting error handling is an epic failure in any production environment.


If that's "epic", what about those companies that lost tons of credit card numbers? Or the Therac that killed people? You'll run out of superlatives if "epic" is putting some debug information on the screen in a production environment.


And how do you suspect those credit cards were lost? Bad practices? This would be one of them. The semantics behind the the title doesn't really matter. At the end of the day, its just a bad idea.


No one is saying that it's not a bad idea. I'm just quibbling with the superlative-inflation going on in the headline.


dats what hackers need .. That 'one'


Slightly off-topic, but I wonder what is their versioning strategy. 1.344714172147360500 is pretty bizarre. Does anyone know how / why it's used?


Looks like a high-resolution timestamp (the first 32 bits make up a time_t for last Saturday).


It seems (unsurprisingly) similar to the versioning used on Google AppEngine file system.


That's why you should never expose tracebacks in a production environment. But plain text? Really?


This reminds me of the time php.net went funny and started outputting all their PHP as text/html - they kept their DB credentials in a file included from their public_html directory and we were able to read the host details and username and password for their CMS.

Never ceases to amaze me that even big sites make little mistakes like that!


Using PHP is not a little mistake.


That is one embarassingly trivial password


Really? It's two words that aren't commonly found together. The only way I can see it being trivial enough to comment on is if the guy is related to something named Project Metal. But I don't know who he is.


Doesn't google docs support OAuth? That password should never have been in the code to begin with.


... has anyone told Kieran?


No


Have you reported this?


Yes


Just out of curiosity what Python web framework YouTube uses?


I hope kieran changes that password if he uses it elsewhere.


The widget has since been removed.


Widget is back. (Working)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: