Abstract: We present an empirical examination of an authentication system deployed in production at a Fortune 500 financial services organization, responsible for securing the personally identifiable data of approximately eleven million account holders. Our analysis reveals a constellation of vulnerabilities of both foundational and catastrophic character. This paper documents findings in ascending order of severity and concludes with remediation recommendations. The lead author maintains a tone of professional objectivity throughout. ^[1]

1. Background and Methodology

The subject codebase was made available to this researcher following an internal audit which flagged, and I quote the original escalation email verbatim, "some concerns." The researcher holds three degrees in relevant disciplines, four professional certifications, and has spent the better part of a decade formally verifying cryptographic protocols for organizations that handle real money and real consequences. The researcher accepted this engagement as a professional courtesy, in exchange for a single-malt Scotch of unspecified vintage. ^[2]

The primary authentication module was a monolithic Python file. Its name was auth_final_v2_FIXED_real_final.py. It was 14,000 lines long. This researcher would like to note, clinically, that 14,000 lines is not a file. It is a clusterfuck that has been compressed into a file. The researcher took a moment. Made coffee. Returned. The file remained. ^[3]

2. Findings

2.1 Password Hashing (Severity: Critical)

The hashing algorithm employed was MD5. MD5 is the algorithm that security researchers point to when they need a reference for "cryptographically broken." It has been formally deprecated for this use case since approximately the time a reasonable person would have finished graduate school. However — and this researcher acknowledges that introducing a "however" at this juncture requires significant composure — the implementation did not merely use MD5. It used MD5, then reversed the resulting digest as a string, then applied MD5 a second time, then XOR'd the result against the plaintext username. Adjacent to this logic was an inline comment reading // double encryption for extra security - Jake 2019. ^[4]

2.2 Session Token Generation (Severity: Critical)

Session tokens were implemented as sequential integers beginning at the value 1. To enumerate active sessions, an adversary would add or subtract 1 from their own session identifier. This is not a vulnerability requiring exploitation. It is more accurately described as an architectural invitation. Verification of this finding was accomplished by incrementing the researcher's own session token by one, which produced an authenticated session belonging to an account holder named Deborah, employed in an accounting function. Deborah was not informed. The researcher apologizes to Deborah and hopes her data remained otherwise undisturbed. ^[5]

2.3 Password Reset Mechanism (Severity: Critical)

The password reset token was derived from the Unix timestamp at the time of the reset request, with second-level precision. An adversary with approximate knowledge of when a reset was initiated — a five-minute window yields exactly 300 candidate values — could brute force valid tokens with trivial effort. This researcher, as a thought experiment, estimated how long manual enumeration with pen and paper would require. The estimate was uncomfortable. ^[6]

2.4 SQL Injection (Severity: Critical)

User-supplied input was concatenated directly into a SQL query string without parameterization or sanitization of any kind. A comment marked the location of this issue: // TODO: fix this later. Git blame indicated this comment was authored in 2017. This paper was written in 2026. "Later," operationally speaking, had not materialized. The researcher acknowledges that nine years is a long time to maintain a TODO comment above an arbitrary code execution vector and declines to characterize what this implies about the organization's engineering culture, as doing so would not be professional. ^[7]

2.5 Hardcoded Administrative Credential Bypass (Severity: There Are Not Words)

A conditional branch evaluated two hardcoded literals: username superadmin and password letmein123. When matched, this branch bypassed the entire authentication stack and granted unrestricted access to all system privileges and all account holder data. All eleven million records. The inline comment read: // for debugging - remember to remove before production. The commit timestamp was 2018. ^[8]

This researcher closed the laptop. Walked to the kitchen. Poured something. Stared out a window at nothing in particular for an unspecified duration. ^[9]

3. Recommended Remediation

A 47-page report was prepared, color-coded by severity, with diagrams, exploit proofs-of-concept, and a section titled "How This Could Have Been Avoided." Management's initial response was to request that the fixes be "phased in over the next fiscal year," which this researcher communicated was inadvisable in terms usually reserved for peer review rejections, then escalated to terms not usually found in peer review at all.

A commercial consulting firm subsequently produced a 200-page analysis confirming every finding in this researcher's report and identifying twelve additional vulnerabilities. They charged $400,000. This researcher charged one bottle of Scotch and is reassessing their rates.

Remediation was completed in three months. During those three months, eleven million account holders were protected from exploitation by exactly nothing except the fact that the codebase was sufficiently labyrinthine to confuse an attacker attempting navigation. The researcher categorizes this as "security through having written truly incomprehensible code." It is not a recognized defense posture.

4. Conclusion

Jake, wherever you are: this paper is not personal. It is a scientific record. The researcher holds no ill will. The researcher does think about the XOR'd MD5 double-hash with some frequency. The researcher is fine.

Footnotes:

^[1] The researcher maintains this tone until approximately section 2.5, at which point objectivity becomes aspirational.

^[2] It was a good Scotch. The codebase did not deserve it.

^[3] "auth_final_v2_FIXED_real_final.py" is a filename that contains, in encoded form, the complete history of poor project management at this organization.

^[4] Jake, if you have read this far: what the fuck were you thinking. The XOR step did not help. Nothing about this helped. Read a goddamn book.

^[5] The researcher would like to acknowledge that this finding required approximately four seconds to verify, which places it in the category of vulnerabilities so elementary they are nearly conceptual art.

^[6] Three minutes. The estimate was three minutes.

^[7] The researcher is choosing not to characterize this. See how restrained that is. Nine goddamn years. A SQL injection. "Later." Unbelievable.

^[8] The password letmein123 would fail the minimum complexity requirements of most children's educational platforms. This researcher has verified this claim empirically and wishes it had not been necessary to do so.

^[9] Duration: approximately twelve minutes. The researcher is fine. This is noted for completeness.

— VexNull, 2026