No. 1 Story

HP job cuts loom for Australian employees

A number of Australian employees of Hewlett-Packard are facing the loss of their jobs as the global computer giant looks to slash its worldwide workforce by up to 30,000.

read more

Related Articles

Report, bug, receive, visit, from, the, police
Juniper offers SSL VPN security for the iPad
Juniper Networks has extended its SSL VPN security to the iPad with the release...
Read More
Social networking - the security dilemma
A recent survey by security company Sophos exposes the dilemma to business posed by...
Read More
How unique is your presence on the Internet?
You might think that thousands, nay millions of people will be on the Internet...
Read More
AppLabs and Original Software Partner to Help Clients Take the Step from Manual to Automated...
- Sponsored Editorial - AppLabs sees huge value proposition for its clients with...
Read More
Planit tests the water in New Zealand
- sponsored editorial - Australian independent software testing and training organisation, Planit,...
Read More

More From

Popular Threads

Report a bug; receive a visit from the police

David Heath
Wednesday, 19 October 2011 09:28

Business IT - Security

View Comments
Page 1 of 2

When a kindly soul discovers a trivially simple security bug and then posts it to the organization concerned, the last thing he expects is a warning letter from the lawyers and a visit from the police.

Until very recently, First State Super had a very big security hole on their web site.  Once a user gained access with suitable authentication credentials, they were able to access the accounts of EVERY OTHER CUSTOMER.

This is what we call a BIG DEAL.

Patrick Webster, a client of the Fund and private security consultant observed that the URL used to access specific details of his account appeared to include his account ID number.  In itself, that's not a problem, many sites do that.  The problem was that there was zero security once a person was logged in. 

Webster did a very simple thing - he changed the ID number in the URL and hit Enter.

Lo and behold, he was able to access someone else's account.

His next step was probably something of a silly move.  In 30 seconds, he was able to write a script that stepped through every account number and confirmed the details were visible.  In hind sight, the first test ought to have been enough.

This is exactly the same kind of bug that was identified in FamilyHQ soon after launch.

Continued...


Start 1 2 Next 

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases