3by9

TED.com Doesn’t Care If You Hack Into Their Database

Two days ago I posted to Twitter that TED.com had a big problem. For some reason, much of the Symfony PHP code used to power their website was sitting in plaintext at the top of all pages on the domain. Most of it was Symfony code, but there was one line in the code that listed their database information (username and password) for anyone to see.

Before I posted to Twitter, I contacted the TED web team through the contact form on their website notifying them of the major breach. You’d think that a message saying “your database login information is X” might get their attention, but no, it didn’t. It’s now Monday and I haven’t heard anything from them. They quietly fixed the problem last night but that was after 48 hours of it being up and live for anyone to see. It was up so long that Google cached it and it can be seen in the top result.

When I think of TED (the conference, the company, the website) I think that it’s comprised of a lot of smart people. The brightest minds on the planet give presentations to an audience filled with the biggest movers and shakers of the tech and business world. It costs many thousands of dollars to attend, and there are a limited number of tickets. The entire concept screams exclusivity but on the other hand, they let their database login information sit on the top of their website for an entire weekend WHILE thousands were hitting the site watching recently posted TED presentation videos. It’s not like this happened 6 months after the conference was done with, it happened while the conference was just wrapping up.

It just shows that no matter how smart you’re perceived to be, your smarts are only as real as you can prove them to be.