Home Business IT Security Report a bug; receive a visit from the police

Report a bug; receive a visit from the police

When a kindly soul discovers a trivially simple security bug and then posts it to the organization concerned, the last thing he expects is a warning letter from the lawyers and a visit from the police.

Until very recently, First State Super had a very big security hole on their web site.  Once a user gained access with suitable authentication credentials, they were able to access the accounts of EVERY OTHER CUSTOMER.

This is what we call a BIG DEAL.

Patrick Webster, a client of the Fund and private security consultant observed that the URL used to access specific details of his account appeared to include his account ID number.  In itself, that's not a problem, many sites do that.  The problem was that there was zero security once a person was logged in. 

Webster did a very simple thing - he changed the ID number in the URL and hit Enter.

Lo and behold, he was able to access someone else's account.

His next step was probably something of a silly move.  In 30 seconds, he was able to write a script that stepped through every account number and confirmed the details were visible.  In hind sight, the first test ought to have been enough.

This is exactly the same kind of bug that was identified in FamilyHQ soon after launch.


Being the altruistic citizen that he is, he reported the problem to First State Super.  Although it took some time to speak to a suitable person, Webster thought his message had finally been listed to.

He was correct.  Within a rather short time, he received a knock at the door to find two Police Officers who wanted to talk to him on suspicion of hacking into First State Super's computer systems; furthermore, his account at the Fund was frozen and a lawyers' letter arrived in the post demanding that he submit his computer for forensic testing to ensure no customer data was present and also to advise him that he may be liable for any costs in fixing the problem.

Talk about shooting the messenger!

Interestingly, some time later the Police advised Webster that they believed no crime had been committed and they had no further desire to speak with him on the matter.

This is a fabulous way to ensure that First State Super will NEVER AGAIN be the recipient of security vulnerability reports.  It won't stop the probing of their systems, but they will never again be informed about them in such a nice way.

One can only hope that the Funds' managers have achieved their desired outcome.




Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips