I’ve become a regular visitor to the Auckland City Library. Whether it be investigating peak-oil, the Scott Watson Trial, minis, masonary, erotic fiction (that was purely research related for my secret website that will make me millions but hasn’t yet), or caves, the library has it.
What it also has is a rather WTFfy security hole in their book check-out system.
To check-out a book from the library, a user requires a library card, which records their name, address, and miscellaneous other details. Users can then check-out the book using the automated check-out system.
The machine scans the user’s library card bar-code, followed by the bar codes of all the books the user wants to borrow. Upon completion the system prints a receipt of which books were taken and when they’re due back, similar to an ATM.
The immediate effect of this is that the floor, and library surroundings are littered with receipt tickets, giving the under-cover investigator an intriguing insight into other people’s lives.
However, the real WTF, is that the library also prints the user’s bar-code number on the receipt. So now all a malicious library user has to do, is collect these receipts, go to any number of free online bar-code generation web-sites, enter the correct alogirthm name, and viola they have a new bar-code that’s readable by the automated scanner. (Here’s almost mine, reproduced in five interweb clicks).
Now my faith in humanity would drop a few more points, if it turns out there really is someone who would go to the extent of forging a library card to use a service that’s already mostly free to begin with. Still, just to be sure, I have notified Auckland City Libraries of the problem… Stay tuned.