Author Topic: Wait! What? Changing variables in URL strings is 'ESPECIALLY INGENIOUS' ?? (Read 1594 times)

rcjordan · « **on:** June 15, 2011, 07:25:40 PM »

"The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said."

http://www.nytimes.com/2011/06/14/technology/14security.html?src=recg&pagewanted=all

So when you login as Citi customer the URL contained your account number. Change around the numbers to another account and Citi let you in that one. 200 thousand times. Brilliant online security, eh?

Gurtie · « **Reply #1 on:** June 16, 2011, 07:43:18 AM »

Quote

One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser

and these people get paid??

does show you how differently peoples brains work though, I would have expected a junior developer to have pointed out the obvious flaw in that system and here's a security expert can't see the problem. Unless citigroup vet all account holders via psychological profiling before giving them an account number of course. Hmm. Consultancy opportuinity.

rcjordan · « **Reply #2 on:** June 16, 2011, 09:53:20 PM »

>200 thousand times

A very slight correction; make that 360,083 ...well within what anyone would consider to be a reasonable margin of error, right?

Citi Credit Card Hack Bigger Than Originally Disclosed

http://www.wired.com/threatlevel/2011/06/citibank-hacked/

The Core

News:

Author Topic: Wait! What? Changing variables in URL strings is 'ESPECIALLY INGENIOUS' ?? (Read 1594 times)

rcjordan

Wait! What? Changing variables in URL strings is 'ESPECIALLY INGENIOUS' ??

Gurtie

Re: Wait! What? Changing variables in URL strings is 'ESPECIALLY INGENIOUS' ??

rcjordan

Re: Wait! What? Changing variables in URL strings is 'ESPECIALLY INGENIOUS' ??