Home Business IT Security Report a bug; receive a visit from the police


JUser: :_load: Unable to load user with ID: 3018

Report a bug; receive a visit from the police

  • 19 October 2011
  • Written by 
  • Published in Security

When a kindly soul discovers a trivially simple security bug and then posts it to the organization concerned, the last thing he expects is a warning letter from the lawyers and a visit from the police.

Until very recently, First State Super had a very big security hole on their web site.  Once a user gained access with suitable authentication credentials, they were able to access the accounts of EVERY OTHER CUSTOMER.

This is what we call a BIG DEAL.

Patrick Webster, a client of the Fund and private security consultant observed that the URL used to access specific details of his account appeared to include his account ID number.  In itself, that's not a problem, many sites do that.  The problem was that there was zero security once a person was logged in. 

Webster did a very simple thing - he changed the ID number in the URL and hit Enter.

Lo and behold, he was able to access someone else's account.

His next step was probably something of a silly move.  In 30 seconds, he was able to write a script that stepped through every account number and confirmed the details were visible.  In hind sight, the first test ought to have been enough.

This is exactly the same kind of bug that was identified in FamilyHQ soon after launch.


Being the altruistic citizen that he is, he reported the problem to First State Super.  Although it took some time to speak to a suitable person, Webster thought his message had finally been listed to.

He was correct.  Within a rather short time, he received a knock at the door to find two Police Officers who wanted to talk to him on suspicion of hacking into First State Super's computer systems; furthermore, his account at the Fund was frozen and a lawyers' letter arrived in the post demanding that he submit his computer for forensic testing to ensure no customer data was present and also to advise him that he may be liable for any costs in fixing the problem.

Talk about shooting the messenger!

Interestingly, some time later the Police advised Webster that they believed no crime had been committed and they had no further desire to speak with him on the matter.

This is a fabulous way to ensure that First State Super will NEVER AGAIN be the recipient of security vulnerability reports.  It won't stop the probing of their systems, but they will never again be informed about them in such a nice way.

One can only hope that the Funds' managers have achieved their desired outcome.




Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?