The Silent Partner

Lucio worked as a self-employed IT consultant. His clients tended to be small firms with equally small IT departments. When they didn't know where else to turn, they called on Lucio for help.

Over the years, Lucio befriended many of the internal IT employees that he worked with. One of them, Fabio, wisely decided to leave his position at a firm with 30 employees, where everyone's roles changed daily depending on the crisis at hand.

Soon after, Fabio landed an interview with an 80-person outfit. They were looking for someone who could take care of everything from mouse batteries to Excel spreadsheets to website software updates to issues in their homemade invoicing software.

Fabio could handle all of that, except for the software. The last time he'd coded anything was 15 years earlier, and even then he'd decided coding wasn't his forte. The interview was scheduled to take place online; Fabio asked Lucio to be in the room during the interview, hoping for a little secret assistance with any questions that were outside his knowledge.

Lucio didn't feel great about it, but he accepted, only to provide help with programming-related stuff and nothing else. As it turned out, the interviewer simply took Fabio's word at face value and did nothing to confirm his coding skills. Lucio never had to intervene, and Fabio got the job all on his own.

On the first day of the job, Fabio sent Lucio a selfie of himself at his new workplace. They'd already gotten him a uniform adorned with the company logo. His new boss toured him around the company offices, introducing him to his coworkers.

The next day, Fabio contacted Lucio. The company didn't have a helpdesk ticketing system, and Fabio lacked the clout to ask for such a big purchase. Did Lucio know of any free options?

As a personal favor, Lucio ended up installing UVDesk Community Edition on one of his own servers and provided Fabio the admin account. He warned his friend that this setup would only be temporary, and he'd have to arrange for something better later.

The next day after that, Fabio sought help for the homemade invoicing software, which crashed from time to time. Windows Process Manager was showing a steady increase of allocated memory. Lucio explained to Fabio what a memory leak was, and said that they'd have to look for the problem in the application's source code. Fabio replied that he didn't have access to the code yet.

And then, the company website was hacked. Lucio discovered that it was a WordPress site with a handwritten theme. Below is the single.php file responsible for rendering every post:

<?php

get_header();

$lang = pll_current_language();

if ( in_category( array( "calendar", "calendario" ) ) )
echo get_template_part( "templates/case-study" );

elseif ( in_category( array( "case-studies", "casi-studio" ) ) )
echo get_template_part( "templates/case-study" );

elseif ( in_category( array( "news", "notizie" ) ) )
echo get_template_part( "templates/case-study" );

else echo get_template_part( "templates/product" );

get_footer();

?>

Lucio stopped looking at the theme code, because this was already more than enough for him:

  • The $lang variable was never used (thankfully).
  • The person who'd written this didn't seem to know that arrays could contain more than 2 items, or that if statements could have or operators as part of their conditions.
  • One could only hope the company never acquired customers who spoke something other than English or Italian. There was only one template for all languages, and if statements were spread all over the whole theme.

Lucio told Fabio that the company would have to rebuild the website from scratch. When Fabio passed the word on to the theme developer, he was assured that "all vulnerabilities would be fixed." Lucio has his doubts, and expects Fabio to hand in his notice any day now.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

This post originally appeared on The Daily WTF.

Leave a Reply

Your email address will not be published.