Blue Man Group Showing Their True Colors? >>
<< MP3 Players That Look Like Cassettes
 tdicon 


(Mis)Uses of Technology

by Dan Miller

Sun, Oct 29th 2000 4:39pm





Citibank security hole

from the there-is-no-excuse-for-this dept

As a Citibank credit card holder I often check my account statement online. In fact, I don't even get paper statements from them. I recently discovered a security hole in their system. Anyone can view transaction records of any account holder, without any password or username. Don't believe me? Click on this link. That's the monthly membership fee for my account with Citibank. There is absolutely no excuse for this type of security hole from any online site, much less a bank.

5 Comments | Leave a Comment..


If you liked this post, you may also be interested in...
 

Reader Comments (rss)

(Flattened / Threaded)

  1.  

    Look closer...

    identicon
    Greg Funk, Oct 29th, 2000 @ 5:43pm

    You should look closer at the URL. This is merely a way of posting information to the page (albeit a lame method). There is no account information related to you. You can confirm this by changing some of the parameters in the URL and getting new output. Try this:

    https://www.accountonline.com/CB/amount.jsp?POSTING_DATE=10%2F20%2F00&SALE_DATE=10%2F20%2F00&TR ANSACTION_TYPE_TEXT=ANONYMOUS+USAGE&REFERENCE_NUMBER=00000000&PERSON_NAME=&TRANSACTION_AMOUNT=1000.0 0&FOREIGN_CURRENCY=&MERCHANT_DESCRIPTION=ANONYMOUS+USAGE+OCT+00-SEP+01++++++++++++&SIC_DESCRIPTION=+ +++++++++++++++++++++++++++++++++++++++&STATEMENT_DATE=10%2F19%2F00

    Now this would all change if account number and any reference numbers were part of the URL passed.

    Greg

    reply to this | link to this | view in thread ]

  2.  

    Re: Look closer...

    identicon
    Dan Miller, Oct 29th, 2000 @ 10:43pm

    You are right that it is a posting method. The point is not the stupidity of the URL formation, but that the fact that anyone could sit down at my computer, start to type the Citibank address and have the rest auto-filled in, including the URL with the transaction information. This is utterly stupid programming and a security hole, in my view.

    reply to this | link to this | view in thread ]

  3.  

    Re: Look closer...

    identicon
    mhh5, Oct 29th, 2000 @ 11:10pm

    I hope you've reported that hole... But it's not an uncommon thing....

    reply to this | link to this | view in thread ]

  4.  

    The URL is secure

    identicon
    Ookami, Oct 30th, 2000 @ 9:21am

       After playing with the URL you posted for a min or two I have determined that the only thing that could be potentially insecure about it is that someone could grab your account number. Using that URL though does not pose any security risk. The only place the information in that URL goes is into a script that formats whatever is in it. Thier database is not accessed. Check out my modification of the link here to see an example.

    Otakudo - The Way of the Nerd.

    reply to this | link to this | view in thread ]

  5.  

    Re: Look closer...

    identicon
    R.E.Norton, Oct 30th, 2000 @ 9:23am

    Two things: You should not allow untrusted persons to access your PC. If this is not possible, use the Browser's feature to delete all history from the cache and the URL bar...

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>


Blue Man Group Showing Their True Colors? >>
<< MP3 Players That Look Like Cassettes
 tdicon 

A word from our Sponsors...
Follow Techdirt
Flattr rss rss

Powered by Postrank

From the Techdirt Archive...
A word from our Sponsors...

Close

Email This