Let’s imagine it’s still summer. The sun is shining, there’s a lovely breeze and the house is a little stuffy so what better time to open the back door into the garden and let some fresh air in?
You're in the house upstairs somewhere, the front door is locked, the gate into the back garden is pretty awkward to open and there’s a million kids toys littering the path anyway, so it’s not like anyone would walk straight in and steal anything right?
Developers are known to use the same logic to leave themselves easy ways into their apps, for a number of possible reasons including:
- Speed up development testing of minor changes
- Gain low level access to the app internal workings
Let’s examine in more detail...
Writing a secure portal into anything is hard work, but when you have to repeatedly login time and time again just to debug little code changes it becomes really tedious. You can see the temptation to create quick and easy shortcuts would be hard to resist especially if you're coding on a budget or timescale. Once done, they're often left in and then forgotten about creating a weak spot for a hacker to seek out.
The problem with a user front end interface is they're often simplified and miss all the crucial data a developer really wants to see to quickly debug an issue, so quick and dirty direct access to the underlying O/S and any databases would really speed things up. This, however, also grants unintentional access to view and modify any part of the system, which a hacker will find extremely useful. Once a hacker has low level access to the system, gaining access to stored personal details, addresses, credit cards and any other sensitive information on the system becomes a formality. This access is under the radar, away from all the tedious security and limited security access that the users have to endure - perfect.
Most back doors aren't intentionally left open forever. Over time they are the product of good intentions, but bad practices. With changes in staff, projects, code features, it’s not hard to imagine these things can get overlooked.
There continues to be high profile data thefts reported in the press, and bewildered tech bosses are staring at their mega encrypted website with its super secure tough to remember password criteria and can't figure out how. It’s easy to make a dangerous presumption that everyone is going to come in an orderly fashion to the heavily secured front door, ring the door bell and wait patiently but in reality, if the back door is ajar, the gate can be opened with a little effort and other minor obstacles can easily be stepped over, a theft eventually becomes inevitable.