Now my DevSecNerdRage™ has calmed down I thought it might be guess at what went wrong with Citibank and how you, as a developer, can avoid making the same mistake. From reports in the New York Times it appears the attackers had a valid login and password for a Citibank credit card site and once in they changed the account number in the URL. This is a great example of Insecure Direct Object Access. I can imagine the code / configuration doing one thing; (all code in this post is pseudo code)if (IsAuthenticated)
{
LoadAccount(Request.QueryString["accountNumber"]);
}
Its not the first time...