I recently came back across a prank that was pulled some years ago against a local news station. Some college students had found out that the school and business tickers that you are probably familiar with, accepted input directly from the news website. All that was required was to sign up, and put in your business, contact, and hours opened/closed. Now one might think that somebody would check these before they go on live TV, but that’s exactly what didn’t happen in this case. The students proceeded to sign up humorous businesses, and have them displayed on live TV. This happened numerous times before someone at the station caught on and disabled the feature.
What I’m getting at here, is that this could have easily been turned into an attack to harm a company’s reputation. They could have easily posted that Joe Shmoe Inc. was doing something illegal, and potentially caused an HR and legal nightmare for that company. Might even be possible to “Denial of Service” the company! Word spreads that there was no work today, nobody shows up, and no work gets done.
The lesson this shows is that user input should never be trusted. When “user input” is described, usually we think about bad characters in input fields, SQL injections, or cross site scripting. But this example goes to show that those issues are not the only things to be considered.