funsec mailing list archives

Re: Citibank hacked by URL fuzzing?

From: Valdis.Kletnieks () vt edu
Date: Tue, 14 Jun 2011 16:56:25 -0400

On Tue, 14 Jun 2011 16:26:59 EDT, Jeffrey Walton said:

: One security expert familiar with the investigation wondered
: how the hackers could have known to breach security by
: focusing on the vulnerability in the browser. "It would have
: been hard to prepare for this type of vulnerability," he said.
: The security expert insisted on anonymity because the
: inquiry was at an early stage.
A vulnerability in the browser which results in server access.
Something sounds fishy, and he/she should remain anonymous.


It's called "sarcasm".  No security professional could have *possibly*
predicted that using a URL that looks like

https://www.big-bank.com/account=134233433

could possibly be attacked, and it's *so* hard to design your web
interface to prepare for that sort of session hijacking....

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Citibank hacked by URL fuzzing? Robert Slade (Jun 14)
- Re: Citibank hacked by URL fuzzing? Jeffrey Walton (Jun 14)
  - Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 14)
    - Re: Citibank hacked by URL fuzzing? Peter Kosinar (Jun 14)
    - Re: Citibank hacked by URL fuzzing? RL Vaughn (Jun 14)
- Re: Citibank hacked by URL fuzzing? Peter Kosinar (Jun 14)
- Re: Citibank hacked by URL fuzzing? Drsolly (Jun 15)
  - Re: Citibank hacked by URL fuzzing? security curmudgeon (Jun 15)
    - Re: Citibank hacked by URL fuzzing? Drsolly (Jun 15)
    - Re: Citibank hacked by URL fuzzing? Larry Seltzer (Jun 15)
    - Re: Citibank hacked by URL fuzzing? Nick FitzGerald (Jun 15)
  - Re: Citibank hacked by URL fuzzing? James Triplett (Jun 15)
    - Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 15)

(Thread continues...)