Lazy to Hack: Citigroup data theft the result of a common vulnerability

16 June 2011

Citigroup data theft the result of a common vulnerability

If the information the NYT has received about the Citigroup breach is correct, and the intrusion was made possible by the exploitation of a vulnerability so frequent and common that it made OWASP's top 10 web application risks list, one wonders how it is possible that the world's largest financial services company hasn't got security experts that would remedy it.

The flaw in question is called insecure direct object reference, and it happens when confidential information is exposed to users because developers did not have the good sense to hide it.

Essentially the process went like this: first, hackers logged into the accountholder website. From there, the attackers used some type of script that allowed them to automatically jump from account to account and harvest any identifiable information merely by changing a portion of the URL. It's not exactly known how the hackers knew to exploit this vulnerability.

A browser and the ability to change the URL string was all that was needed to open hundreds of thousands of accounts to attackers. Oh wonderful.

Once the attackers realized it - I'm guessing one of them probably had an account with Citigroup - it was only a matter of writing a script that would feed random numbers into the URL and every time it successfully accessed an account, the attackers harvested the information contained in it.

If that is true, there is another thing bugging me - why wasn't this "bombarding" the site with requests with bogus combination of numbers over and over again not noticed by anyone? Why wasn't there a mechanism in place that would get triggered by this kind of action?

But maybe, in this case, they couldn't spot it? Maybe the script was written in such a way that the requests were random and spread over a great period of time? One would presume that the attackers would try to get as much information as possible in a short time before the attack was detected, but you never know.

The only thing going for those affected by the Citi hack may be the fact that the attackers do not have expiration dates or security numbers found on the back of the card. This may protect those attacked from serious identity theft, although a lot of other personal information has been disclosed.

All in all, can we now just stop calling it a "sophisticated attack"?

= Disclaimer =

The author is not responsible for the actions, content or accuracy of the opinions expressed in Lazy2Hack, nor for privacy policies, products or services or for any damages or losses, directly or indirectly, caused or alleged to have been caused as a result of your use or reliance on such information. The views, conclusions, findings and opinions of the author are solely those of the author and do not necessarily reflect the views of the government of the author's local precinct or any other organization which the author may represent.

This website/blog includes links to other sites operated by third parties. These links are provided as a convenience to you and as an additional avenue of access to the information contained therein. The author has not reviewed all of the information on other sites and are not responsible for the content of any other sites or any products or services that may be offered through other sites. The inclusion of these links in no way indicates their endorsement, support or approval of the contents of this site or the policies or positions of Lazy2Hack.

The author reserves the right to edit, remove or deny access to content that is determined to be, in his sole discretion, unacceptable.

Lazy to Hack

::Trend Micro Threat Resource Center::

16 June 2011

Citigroup data theft the result of a common vulnerability

= Why =

:: Twitter Feed ::

= Latest Virus Alerts =

= Safe Web Browsing Tips =

= Daily Reads =

= On the go =

= Archives =

Labels

= Disclaimer =