Wait! What? Changing variables in URL strings is 'ESPECIALLY INGENIOUS' ??

Started by rcjordan, June 15, 2011, 07:25:40 PM

Previous topic - Next topic

rcjordan

"The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said."

http://www.nytimes.com/2011/06/14/technology/14security.html?src=recg&pagewanted=all

So when you login as Citi customer the URL contained your account number. Change around the numbers to another account and Citi let you in that one.  200 thousand times.  Brilliant online security, eh?

Gurtie

QuoteOne security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser

and these people get paid??

does show you how differently peoples brains work though, I would have expected a junior developer to have pointed out the obvious flaw in that system and here's a security expert can't see the problem. Unless citigroup vet all account holders via psychological profiling before giving them an account number of course. Hmm. Consultancy opportuinity.

rcjordan

>200 thousand times

A very slight correction;  make that 360,083  ...well within what anyone would consider to be a reasonable margin of error, right?

Citi Credit Card Hack Bigger Than Originally Disclosed

http://www.wired.com/threatlevel/2011/06/citibank-hacked/