You Can’t Say QAHY Didn’t Warn You

I said in a Two Minute QAte I’d seen payment portals vulnerable to changing parameters in the querystring. Apparently, Citi had the same problem:

Details have emerged has to how hackers were able to steal over 200,000 Citi customer accounts, including names, credit card numbers, mailing addresses and email addresses. It turns out quite easily, in fact. All they had to do was log in as a customer and change around a few numbers into the browser’s URL bar, NYT reports. Facepalm.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else’s account.

More details at this New York Times article, which quotes an anonymous security “experts”:

The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.

One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said. The security expert insisted on anonymity because the inquiry was at an early stage.

I wish they would have put their names to it so the real world could know which security experts would call this an ingenious exploit of a browser flaw. Seriously. Dudes, and I say “Dudes” because that’s how the other kids in your college dorm address you, this is not a browser flaw. This is an application flaw. And one that you could fix if only you, I dunno, were “experts” in basic software testing.

Here’s a primer, dudes:

(Story seen via Rob Lambert tweet.)

UPDATE: Maybe those security experts quoted by the New York Times were the in-house team responsible for the recent New York Times pay wall fiasco.

Comments are closed.