You might have read this on Hacker News/reddit, but still, this is too much of a WTF NOT to share.
Basically, if you try to login to Caledonian Record, – a St. Johnsbury, Vermont based media website which
recently put the site behind a pay wall and I can no longer catch up on hometown news
you get an “announcement” of epic proportions
RETURNING CUSTOMERS, PLEASE NOTE THE FOLLOWING SECURITY CHANGE: YOUR USERNAME WILL NOW SERVE AS YOUR PASSWORD AND YOUR PASSWORD WILL NOW SERVE AS YOUR USERNAME
“Icing” on the cake?
Not unsurprisingly, x’ AND email IS NULL; — works as the username with no password. Injection FTL.
It seems like any username that includes a semicolon at any point will authenticate
Security change, indeed.
via Hacker News | Your Username Will Now Serve as Your Password and Your Password as Your Username.