I saw this post over at David's blog and all that I have to say is that … I am not surprised. e-banking applications aren't good over here in Slovenia. But this one from David's post tops the list by far. Here is the screenshot from his blog (I hope he don't mind that I've made a copy of it).
So, you might say "heck, errors happen". Yes they do, but this one shows bank ignorance at its worst. Even though their representative Janez explains in a comment that the error and usage of Access(!) database are unrelated to core application itself he is bloody wrong. So, what can you see from this error:
- They are using Access
- They are using asp
- They are using ODBC driver (who knows why..)
- The code that connects to the database is in the file /obvestila/DBConn.asp and the connection itself is in the line 9
- They never heard of never ever show internal error to the public
These are 5 lines of knowledge that should remain hidden. Specially in this kind of sensitive application. Do you wonder what other errors might reveal? But the real problem is not within this particular data displayed, it is the fact that they are showing data that shouldn't be seen from outside, ever. This leads me to thinking that their application is really badly written, or at least a part of it, and it might be highly vulnerable to malicious attacks. At least such message doesn't really give you a sense of security. I also wonder how scalable the application is when used by more than 5 concurrent users.
Anyway I am sure that application was written by the cheapest company…Kudos to everybody using this application for their courage.
UPDATE: The page with the error shown above is not the page from their e-banking but from their e-banking entry page. Their e-banking application is actually located on another web address and it seems like it is java application. So the two might be separated. But nevertheless all of the criticism above is still very valid.