Wednesday, December 19, 2007

More Identity Management for Indoor Rowing

My son and I are participating in an indoor rowing Concept 2 Holiday Challenge, each of us attempting to row a certain distance before midnight on Dec 24.

My goal is 200km, but as 100km is a milestone for some, when I crossed that threshold my challenge page added a link from which I could download a Certificate acknowledging the accomplishment.

The URL for the 100k certificate looks like*******/challenge/holchal/HRC07_100cert.pdf

On a whim, I replaced '100' with '200' in the above and tried the resulting address. The URL worked and rewarded me with a nice 200k certificate.

Given that nothing prevents someone from completely fabricating their rowing distances, this is not an egregious security hole.


Unknown said...


Robert said...

Don't know if this is an improvement or not over....

... those early/first "digital" bicycle odometers of the 80s. People took those to their bicycle shops with all kinds of excuses (e.g. technical problems) in the hope that the thing could be "fast-forwarded" to those x thousand km that they had bet on. Afaik nobody at the time knew how to "hack" those things.

Does your rowing machine has an odometer ? If so we will congratulate you if we can show us a non-photoshoped picture of its reading with those 200 km ! ;)