I didn't know any better
One day, when I was in elementary school (mid-2000s), I decided I would create a personal website to share games, news, and other cool tidbits of my life with my friends and family. I also wanted it to be password protected so that only my friends would see it, and to prevent big bad internet strangers from seeing private information (oh how times have changed).
However, I didn’t know anything about HTTP authentication, HTML forms, databases, or security best practices. I couldn’t care less, and figured I would find a way. I was, after all, in elementary school. Like, 10 years old maybe.
So I set out to build that website, and used the one technology I knew could achieve this: Flash.
That’s right, good old
.swf files and all.
I first implemented the password protection this way: within the Flash view, there was a login screen with a single field where my friends would type in the password. Naturally it was a hardcoded password, straight in the .swf, because why the hell not, I’m 10 years old, this is fine.
What is this sound I hear? Ah, yes, that’s the sound of security engineers from around the world screaming in unison. Yes. I know. Again, I was 10 years old.
I encountered a problem pretty early though: what if I wanted to show different things to different people? Hmm.
Instead of sharing the protecting the website with the same password for all my friends and family members, I would need them to each have their own password (because duh, security), and on top of that, surface different things to different people. So…
Again, with the infinite creativity of a 10-year-old who has no idea what they’re doing, I found a brilliant solution:
Create a separate .swf file for each of my friends, with a different hardcoded password in every of them, and serve them all as different files on my ISP-provided web server.
YES. I KNOW.
Amazing, isn’t it?
I just didn’t know any better.