It is probably a good idea to keep details limited to protect the guilty.For what it's worth, here's a question about what to do if you find a security hole, and another with some useful answers if a company doesn't (seem to) respond.This question exists because it has historical significance, but it is not considered a good, on-topic question for this site, so please do not use it as evidence that you can ask similar questions here.
We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion.
If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Even if your question has been community wiki for hours, the comment is still a good comment to upvote, as it reminds people that questions similar to this one should be community wiki. From early days of online stores: Getting a 90% discount by entering .1 in the quantity field of the shopping cart.
The software properly calculated the total cost as .1 * cost, and the human packing the order simply glossed over the odd "." in front of the quantity to pack :) Jeff Bezos mentioned that in the very early days of Amazon, you could have a negative quantity of books and Amazon would credit your account (and presumably wait for you to ship it to them). v=-hx X_Q5Cna A The least forgivable security hole, and unfortunately a very common and easy to find one at that, is Google hacking. q=inurl%3Aselect+inurl%3A%2520+inurl%3Afrom+inurl%3Awhere It's amazing how many pages on the Internet, government sites in particular, pass an SQL query through the query string.
It's the worst form of SQL injection, and it takes no effort at all to find vulnerable sites.
With minor tweaks, I've been able to find unprotected installations of php My Admin, unprotected installations of My SQL, query strings containing usernames and passwords, etc. You haven't known fear until the day you wake up and see the headline on that morning is "Worst Internet Explorer Security Hole Ever Has Been Discovered In 'Blah'" where 'Blah' is code you wrote yourself six months previously.
Immediately upon getting to work I checked the change logs and discovered that someone on another team -- someone we trusted to make changes to the product -- had checked out my code, changed a bunch of the security registry key settings for no good reason, checked it back in, and never got a code review or told anyone about it.
To this day I have no idea what on earth he thought he was doing; he left the company shortly thereafter.
(Of his own accord.) (UPDATE: A few responses to issues raised in the comments: First, note that I choose to take the charitable position that the security key changes were unintentional and based on carelessness or unfamiliarity, rather than malice.