The first security flaw I ever found was when the company I worked at used a cookie with an "encrypted" customer ID as sufficient to authenticate to their web app, which allowed you to access a lot of private details and run up substantial bills for the company via various phone services (e.g. you could easily use our API's to dial 30+ premium rate numbers and let the bills rack up...)
It was a big enough WTF that there was no nonce or time element to the authentication, so that if you got hold of a cookie you could replay it forever.
It was a bigger WTF that the "encryption" looked suspicious, and turned out to simply be base64 of the customer ID.
In a tripple whammy, the customer id that was "encrypted" was a sequentially assigned integer, so it took me about 10 minutes to demonstrate that I could access the accounts of everyone in the company and every customer simply by working backwards from my own id.
Thankfully my boss at the time was smart enough to not playing shoot the messenger. They thanked me, and were somehow amazed that I'd figured out how to "break" the encryption, and asked me to review their fixes, and we went back and forth a few times until it was reasonably secure.
I just updated a colleagues registration to a medical imaging professional body by working back from my own crap login/password which they chose. This was done to save him some time on a busy day. I noticed that his user ID was just a few digits different to mine so tried the same increment on the password. Surprise! I'm not sure how much damage one could really do, but deep frustration could easily be inflicted.
It was a big enough WTF that there was no nonce or time element to the authentication, so that if you got hold of a cookie you could replay it forever.
It was a bigger WTF that the "encryption" looked suspicious, and turned out to simply be base64 of the customer ID.
In a tripple whammy, the customer id that was "encrypted" was a sequentially assigned integer, so it took me about 10 minutes to demonstrate that I could access the accounts of everyone in the company and every customer simply by working backwards from my own id.
Thankfully my boss at the time was smart enough to not playing shoot the messenger. They thanked me, and were somehow amazed that I'd figured out how to "break" the encryption, and asked me to review their fixes, and we went back and forth a few times until it was reasonably secure.