Citibank
There are 2 entries for the tag
Citibank
Now my DevSecNerdRage™ has calmed down I thought it might be guess at what went wrong with Citibank and how you, as a developer, can avoid making the same mistake. From reports in the New York Times it appears the attackers had a valid login and password for a Citibank credit card site and once in they changed the account number in the URL. This is a great example of Insecure Direct Object Access. I can imagine the code / configuration doing one thing; (all code in this post is pseudo code)if (IsAuthenticated)
{
LoadAccount(Request.QueryString["accountNumber"]);
}
Its not the first time...
This makes me bang my head on the desk In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers. Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data. As if insecure direct object...