
Thieves Found Citigroup Site An Easy Entry - woan
http://www.nytimes.com/2011/06/14/technology/14security.html
======
michaeldhopkins
Why is that security analyst acting like this was hard to do? I'm not a
cracker and I am always looking at the URL. It would only have taken one out
of Citi's millions of customers to notice the flaw or casually examine a
potential flaw. It seems it was quite easy for the crackers to prepare to
exploit this.

 _Once logged in to [the site reserved for Citi's credit card customers], they
leapfrogged between the accounts of different Citi customers by inserting
vari-ous account numbers into a string of text located in the browser’s
address bar.

The method is seemingly simple, but the fact that the thieves knew to focus on
this particular vulnerability marks the Citigroup attack as especially
ingenious, security experts said.

One security expert familiar with the investigation wondered how the hackers
could have known to breach security by focusing on the vulnerability in the
browser. “It would have been hard to prepare for this type of vulnerability,”
he said. The security expert insisted on anonymity because the inquiry was at
an early stage._

~~~
DieBuche
The article itself it just as bad. _...to breach security by focusing on the
vulnerability in the browser_

This sounds like the was a specific browser bug or is the address bar now a
vulnerability?

 _“It would have been hard to prepare for this type of vulnerability,”_ Hard
to prepare against people changing &acctno=1234567 to &acctno=1234568 ?

~~~
SolarNet
I write a porn site more secure than this... Not only that but the fact they
blame the browser is absurd, they have some crazy incompetent web developers
there.

------
jonknee
What a stunning oversight. Relying on GET IDs to secure their customer
financial data seems almost too amateur to believe. I imagine lawsuits are on
the way.

------
martswite
If what the article says is actually true that simply changing account numbers
in the URL allowed them to access other accounts, then I'm completely
astounded.

Surely this is one of the first things a programmer learns. It's just basic
security.

