Sometimes when browsing over the web, you're clicking somewhere where you're not supposed to click. For instance, I was navigating through a well known shop, when I suddenly hit a Magento login-panel telling me that the webshop was actually based on MagentoTM. Naturally my fingers began typing, but I was shocked to see that I could actually login with the default admin-password. How did this happen?
Blame it on the sample data
When installing Magento, you can follow the extra procedure of adding sample data. This adds sample products to the database, but with older Magento versions it also set a default login: The username admin and the password 123123. Still these login-credentials can be found on various demo-sites.
But it is shocking to see that the same login-credentials were used on this major shop. Every Magento enthousiast could have tried out the password, and gained access to the database: Once we were logged into the Magento Admin Panel, we not only compromised their payment gateways and product information, we also gained a copy of thousands of customer data.
Blame it on the administrator
Of course we're not going to post the name of the actual webshop we compromised here. Partially because they will be harmed if we tell the rest of the world what kind of mistake they made. And also partially because logging into a webshop without the permission of the owner could in some cases be considered illegal. We actually do not consider this hacking, because using a demo-password on your shop is almost the same as leaving out the password at all.
We are still stupified how a shop which had earned over US$ 500.000 (yes, really, half a million), according to the statistics of their Magento Admin Panel, could pay so little attention to the security of their site.
