Re: Citibank hacked by URL fuzzing?

[Jeffrey Walton <noloader () gmail com>]

: One security expert familiar with the investigation wondered
: how the hackers could have known to breach security by
: focusing on the vulnerability in the browser. “It would have
: been hard to prepare for this type of vulnerability,” he said.
: The security expert insisted on anonymity because the
: inquiry was at an early stage.
A vulnerability in the browser which results in server access.
Something sounds fishy, and he/she should remain anonymous.

On Tue, Jun 14, 2011 at 3:16 PM, Robert Slade <rmslade () shaw ca> wrote:
> Apparently, the intruders who breached Citibank tried putting different "account numbers into a string of text 
> located in the browser’s address bar."
>
> http://nyti.ms/lNpNP3
>
> Boy, account numbers in the URL.  Now who could have guessed that bad guys would have tried messing with that?  "The 
> method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the 
> Citigroup attack as especially ingenious, security experts said."

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.