In my capacity in software QA working on Web applications, I know there’s no easier means of havoc than to mess with the URL string sent to the Web application. Looks as though some “hackers” have discovered the same with a university application, um, application:
The ApplyYourself code had a bug such that editing the URL in the “Address” or “Location” field of a Web browser window would result in an applicant being able to find out his admissions status several weeks before the official notification date. This would be equivalent to a 7-year-old being offered a URL of the form http://philip.greenspun.com/images/20030817-utah-air-to-air/ and editing it down to http://philip.greenspun.com/images/ to see what else of interest might be on the server.
But I bet the company saved a bundle of money by avoiding the whole quality assurance thing.
(Link seen on Outside the Beltway.)
