funsec mailing list archives
Re: Citibank hacked by URL fuzzing?
From: Peter Kosinar <goober () nuf ksp sk>
Date: Tue, 14 Jun 2011 22:56:11 +0200 (CEST)
Okay, I'll bite.
Apparently, the intruders who breached Citibank tried putting different "account numbers into a string of text located in the browser’s address bar."http://nyti.ms/lNpNP3Boy, account numbers in the URL. Now who could have guessed that bad guys would have tried messing with that? "The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said."
Okay, my English must be rusty. I always thought the proper spelling was "i-n-g-e-n-U-o-u-s".
The fun actually continues in next paragraph: ===One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said. The security expert insisted on anonymity because the inquiry was at an early stage. ===
The quoted sentence contains an extra "for"; unless there is something more behind the scenes, it's probably the most obvious attack vector one can think of.
Peter
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Citibank hacked by URL fuzzing? Robert Slade (Jun 14)
- Re: Citibank hacked by URL fuzzing? Jeffrey Walton (Jun 14)
- Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 14)
- Re: Citibank hacked by URL fuzzing? Peter Kosinar (Jun 14)
- Re: Citibank hacked by URL fuzzing? RL Vaughn (Jun 14)
- Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 14)
- Re: Citibank hacked by URL fuzzing? Jeffrey Walton (Jun 14)
- Re: Citibank hacked by URL fuzzing? Peter Kosinar (Jun 14)
- Re: Citibank hacked by URL fuzzing? Drsolly (Jun 15)
- Re: Citibank hacked by URL fuzzing? security curmudgeon (Jun 15)
- Re: Citibank hacked by URL fuzzing? Drsolly (Jun 15)
- Re: Citibank hacked by URL fuzzing? Larry Seltzer (Jun 15)
- Re: Citibank hacked by URL fuzzing? Nick FitzGerald (Jun 15)
- Re: Citibank hacked by URL fuzzing? security curmudgeon (Jun 15)
- Re: Citibank hacked by URL fuzzing? James Triplett (Jun 15)
- Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 15)
- Re: Citibank hacked by URL fuzzing? Brance Amussen (Jun 15)
- Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 15)