First American Financial Corp’s recently exposed good amount of data(885 million files related to real estate data) to the external folks.Probably this leak impacted close 885 million folks assuming each file relates to one property and one person or family.
The leak mainly happened by modifying the URL parameter of the request. I have written quite a bit of code to fetch some files for viewing online, downloading etc. etc..
Most common way of writing these type of functionality is that you write a controller class to get file for viewing(render document on browser for viewing),you have some service layer which populates file template, and then some data access layer which either fetches data based on some id from database or cache store to populate the template.All these steps along document viewing happens most frequently via GET verb. Of Course you can have secured GET requests.
The whole purpose of GET verb is to fetch the resource which it does as described in specs. However I feel document viewing is special type of use case which I believes requires a special http verb to deal which browsers most of the times can provide inbuilt protection for cases like First American Financial Corp (similar as Browsers prompt for double submits).
This verb will help to solve other issues as well like malware, excessive ads, virus problems, etc. etc.. This verb will make web much cleaner.
PS : Though I know that First American Financial Corp’s leak is due to poor development practices but I believe that generally browser or Web specs should provide first level of defense against these types of lapses.
Comments are closed here.