Citibank security hole

from the there-is-no-excuse-for-this dept

As a Citibank credit card holder I often check my account statement online. In fact, I don’t even get paper statements from them. I recently discovered a security hole in their system. Anyone can view transaction records of any account holder, without any password or username. Don’t believe me? Click on this link. That’s the monthly membership fee for my account with Citibank. There is absolutely no excuse for this type of security hole from any online site, much less a bank.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Citibank security hole”

Subscribe: RSS Leave a comment
Greg Funk says:

Look closer...

You should look closer at the URL. This is merely a way of posting information to the page (albeit a lame method). There is no account information related to you. You can confirm this by changing some of the parameters in the URL and getting new output. Try this:

Now this would all change if account number and any reference numbers were part of the URL passed.


Dan Miller (profile) says:

Re: Look closer...

You are right that it is a posting method. The point is not the stupidity of the URL formation, but that the fact that anyone could sit down at my computer, start to type the Citibank address and have the rest auto-filled in, including the URL with the transaction information. This is utterly stupid programming and a security hole, in my view.

Ookami (user link) says:

The URL is secure

???After playing with the URL you posted for a min or two I have determined that the only thing that could be potentially insecure about it is that someone could grab your account number. Using that URL though does not pose any security risk. The only place the information in that URL goes is into a script that formats whatever is in it. Thier database is not accessed. Check out my modification of the link here to see an example.

Otakudo – The Way of the Nerd.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...