Related link: http://www.betanews.com/article/Verizon_Glitch_Exposes_Customer_Data/1123859876

In case there is a website application developer who hasn’t gotten the message, I’ll say it loud and clear: Never trust the client application.

Johnathan Zdziarski only wanted to create a simple way to find out his cell phone account balance. The article doesn’t mention if he was trying to create a widget application, a perl command line client, or even a Javascript bookmarklet. It only mentions that he learned about a problem during the development of his code. By substiting his phone number with someone else’s he could see the account details for that number.

I’m not criticizing Verizon, because this actually happens to a lot of websites. There are too many web applications that put their faith in session based URLs, Javascript field validation, or cookies that are set, but never verified. Those techniques may have worked fine with actual web browsers. But you can’t be sure anymore that anyone using your site is using a traditional browser.

The Apple website lists over 1000 custom widgets for their Dashboard applicaiton. The Konfabulator website lists over 800 widgets for their environment. Now add to that all of the tiny command line scripts that have been around for years. There’s a chance if you have a really popular or useful website, somebody out there may have created a script that interacts with your site.

That’s probably not a bad thing, unless your script is an old copy of FormMail. A widget can create another method to make your website more useful to people’s needs. Either you can buckle down and create your own, somebody else might create one for you. Keep in mind that there could be widgets out there that you may not even be aware of, especially if the client is pretending to be Internet Explorer, or another browser.

If there are no widgets for your site, at least make sure your server applications are better prepared for them. They should be able to gracefully handle missing or invalid input. They should also have strict security checks in place when the client is requesting sensitive data.