I work for a retail store which caters to many of the western states. Our main goal is to "provide entertainment to mid-sized communities."

The company, hereafter reffered to as the Company, uses all manners of technology to expedite the sales process. Computers control inventory, till audits, payroll, scheduling, price control, POS, timeclock, and inter/intra-store email.

PART ONE:
Each associate is assigned a PID (Payroll ID) and with that a set of security permissions. The Company system is a custom frontend sitting on top of SCO. Each cash register and floor computer is networked the the store server in the back room. That computer in turn is connected the Home Office, in a undisclosed state.

The interesting part about our system is that it is one system on top of another. This means that one way of bypassing the security is to bypass the system all together.

When the server starts up, it automaticallly logs itself in as "manager", the equivalent to root in the Company system, since all files have the Unix permissions of "manager". From there you are landed into the main screen, where you would log in with your PID to each of the submenus.

One of the options on the submenu is the Lynx Browser, used by us to browse the corporate intranet site. (You may wonder how one could come by this option, as it is located in a password protected submenu, but the eployees frequently leave this menu open.) One of the glorious features of Lynx is that, by pressing the ! key, you are dropped into a shell. Normally, this would not be such a big deal, since one would typically have the same permissions, but in this case, it is very BAD.

This little feature, overlooked by the corporate programmers, allowed one to browse the store server in complete Unix power. One could change till audits (which could lead to un-noticed theft), change inventory (which would lead to un-noticed theft), change payroll info (which would lead to un-noticed theft) EVERYTHING.

In theory, since the systems are all networked, one could transfer their session over to the corporate server (same permissions, no password) and send out nation wide commands. You know what shutting down every computer in 30 states could do for a business? A lot of damage.

Thankfully, my ambitions are not so evil. After some browsing around (and finding out I am the least paid employee there), I reported the flaw to corporate, who in turn fixed the exploit (on a temporary basis - more later) and quietly shushed me. Just goes to show how even big businesses can let stupid things go past them.

Part Two will be written upon review of the comments made about this post.

~Em

P.S. - I am still the lowest paid employee.