High security does not involve wizardry - it's grounded in straightforward principles and diligent practices

High security does not involve wizardry - it's grounded in straightforward principles and diligent practices

In online services, a small oversight can lead to significant vulnerabilities, exposing businesses to risks that could cost them their image and hard cash. Two recent scandals involving tricks with price tags on ticket sales platforms have brought to light an all-too-common mistake that, while simple, can have far-reaching consequences. This post is written to demystify security, illustrating that it's not akin to dark arts, even for those lacking an IT background.

Imagine a ticket sales portal offering daily, weekly, and monthly tickets priced at €50, €200, and €500, respectively. At first glance, the process is straightforward: click on a ticket, proceed to the payment page, and complete your purchase. However, if the implementation lacks a basic understanding of online security principles, vulnerabilities can arise from seemingly harmless practices.

"It's not merely the ability to write code that defines a software engineer. A great developer must be versed in numerous disciplines beyond coding, including user experience, accessibility, elements of psychology and marketing, and crucially, security. Regrettably, many developers hesitate to venture beyond their comfort zones to acquire new skills. This is where the importance of knowledge management shines in every IT services company. Educating our junior staff on writing secure code is vital because, as illustrated in this article, writing secure code isn't more costly than writing poor quality code - it's about having the right knowledge."

For instance, a programmer with limited experience in security might attach the price directly in the URL, like so:

  • For a daily ticket: https://tickets.example.com/ticketsales.php?price=50
  • For a weekly ticket: https://tickets.example.com/ticketsales.php?price=200
  • For a monthly ticket: https://tickets.example.com/ticketsales.php?price=500

Clicking on one of these links takes the user to a payment page that reflects the selected price. However, this setup invites a glaring security risk: price manipulation. A user could simply edit the URL's price parameter to a lower value, like €1, and the payment page would obediently adjust to this new "price."

  • For a daily ticket: https://tickets.example.com/ticketsales.php?price=1

This is precisely what happened in one of the cases: a youngster simply altered the price tag, resulting in the acquisition of a very inexpensive product. The aftermath was a massive media scandal characterized by extensive finger-pointing and misinformation, significantly damaging the platform's reputation. While some may find humor in the situation, the root cause was likely a simple oversight by a junior coder that went unchecked, highlighting the critical importance of education and proper processes.

To avoid such pitfalls, experienced programmers employ a technique known as the "separation of business logic and presentation." Instead of placing a mutable value like price in the URL, they would use a fixed ticket type identifier. The server, not the user, then determines the price based on this identifier. Here's how the improved URLs might look:

  • Daily ticket: https://tickets.example.com/ticketsales.php?type=daily
  • Weekly ticket: https://tickets.example.com/ticketsales.php?type=weekly
  • Monthly ticket: https://tickets.example.com/ticketsales.php?type=monthly

With this approach, the server controls the pricing logic, removing the user's ability to manipulate ticket prices through URL edits. Attempting to bypass this by changing the URL to an invalid parameter would result in a warning message, and the system could log the user's IP address for security purposes.

This solution is not black magic, it is neither complex nor time-consuming to implement. The code for the imaginary scenario in this post would take no more than five minutes to code, even an AI can do it. The essence of IT security often lies in such simple yet effective practices, underscoring the importance of having skilled programmers or, proper processes, and ideally, high-performing agile teams that can identify and correct potential vulnerabilities efficiently.

Most of the time, IT security is much simpler than it appears, and understanding its basics can go a long way in protecting your business from unnecessary losses. By ensuring that your IT team adheres to fundamental security principles, you can avoid becoming the next cautionary tale in the digital age.

Thomas Biro

co-founder & chairmain
agile business architect,
agile coach
Sense/Net
Thomas Biro

Co-founder of Sense/Net & Barion, author of Digital Readiness Framework. Tom graduated in engineering from Nottingham Trent University. Since the advent of the Internet, he has been involved in digitalization, initially focusing on the technical, and later on the human aspects. Tom is an M-shaped talent, with extensive knowledge in IT, entrepreneurship, and agile. He likes to promote provocative ideas. In his view, only free, critical, and scientific thinking will move humanity forward. He believes that the essence of agility is the agile mindset, which he puts great emphasis on teaching.

You may benefit from reading related posts

Talk to our experts

We cannot wait to start your next digital project or product. So book an appointment and talk to senior IT experts instead of your typical salesperson.