We frequently hear reports about “hackers” successfully bringing down some of India’s premier websites. The IPL-T20 website was once “defaced” and the hackers politely left a message stating that they had exploited a common SQL injection vulnerability. 
It’s no surprise that hackers are able to carry out such attacks on the Government’s premier websites. I’ve heard that the folks in charge of the Indian Railway website had their site’s security audited by some security experts after the site came under attack from “foreign” hackers, so that was a positive step forward. But in general, the Government/Agency “outsources” the I.T. implementation of important public websites to some standard Indian IT company that has more than a million employees, most of whom play the role of a small cog in a large wheel.
Sometimes the laziness of that one employee, who’s possibly utterly bored of his desk-job, is quite evident to the entire world. In case of the Mumbai International Airport website, it’s the dude who’s supposed to maintain the web.config file of this Microsoft .NET 2.0/C# based website. They’ve left the Debug Mode on, letting every curious visitor take a peek under the hood.
Been there. Done that. 
Sadly, no one’s cared to review the security of this website. 
Here’s the dreaded yellow page that I’m kind of beginning to miss seeing in projects I’m working on, since they’re in PHP and Java (that aren’t as colourful when displaying debugging information) 
Looks like the code queries a MS SQL Server, but the SQL Server didn’t respond within the time set in the SqlCommand.CommandTimeout Property (default being 30 seconds). Hence, this exception won’t be thrown every time, and that’s why probably why it wasn’t caught during the QA of this website. It’ll throw an exception only when the SQL Server doesn’t return data within 30 seconds (or whatever timeout value has been set), possibly when a DoS attack is underway, or when the query to be executed is a slow, complex query. 
Whatever be the case, debug mode should not be on. Not only does it murder performance (because the compiler performs extra checks on the code), but also leaves a gaping security hole. 
Anybody listening?
Facebook
Last.fm
MyOpera
Linked-in
Smashing Magazine
I’m listening loud and clear. It’s an amateur mistake that, depending on the level of compromise (E.g.: government website), would warrant demotion and/or immediate termination not only for the developer, but also for any tester or manager who should have caught it in the pipeline. There is a reason Americans frown upon outsourcing to places like India other than the loss local jobs. The laziness and arrogance of some of those IT companies abroad foster limited critical thinking and low quality code, not to mention a lack of common sense.
Unfortunately, some American companies like Dave and Buster’s are not immune to big mistakes either.