How Citigroup Hackers Easily Gained Access 371
Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."
Seriously, what the fuck! (Score:5, Insightful)
Re:Seriously, what the fuck! (Score:5, Funny)
Makes Sony's security setup look like Fort Knox. And that's saying something.
Re:Seriously, what the fuck! (Score:5, Funny)
Re: (Score:2, Redundant)
I can make the same argument for my luggage.
Wait - is the combination 1, 2, 3, 4, 5?
Re: (Score:2, Funny)
Re: (Score:3)
That's the stupidest combination I've ever heard!
It sounds like something an idiot would put on his planetary air shield. Wait... I think we got this joke backwards somehow.
Re: (Score:3)
That's the stupidest combination I've ever heard!
It sounds like something an idiot would put on his planetary air shield. Wait... I think we got this joke backwards somehow.
It worked great for his luggage.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re:Seriously, what the fuck! (Score:4, Funny)
Think of the great employment opportunities now that you know that anyone can be a "security professional!"
Well, I did stay at a Holiday Inn last night....
Comment removed (Score:4, Informative)
Re: (Score:3)
I closed my Citi account based on the very poor quality of their internet banking system and concerns about its security... concerns which I explained in writing.
Their internet banking system was filled with obviously half-assed security measures. For instance, you could send a "secure email" to customer support - but the email couldn't contain any character that might be used in a SQL injection attack (e.g. quote marks). If it did, then clicking Send led you to an error page, and of course you weren't tol
Re: (Score:3)
I had the same thing happen! My mortgage is through Citi and I kept on typing out these long "secure" messages to them and forgot about the illegal characters. Had to keep retyping. Nice sanitizing!
Re: (Score:2)
I wonder if the management actually understands how big a screw up this is. I'm sure they understand that "stolen data = bad" but not what a ridiculously easy exploit this was. If they did understand it probably wouldn't have happened.
Re: (Score:2)
In a radio broadcast in Germany not long ago, the online security of banks was described to be the equivalent of putting the money in a carton box on the street (if you understand German: Here's a transcript [web.ard.de] as PDF).
After reading this story, I think the carton box would actually provide more safety.
Re: (Score:2)
In a radio broadcast in Germany not long ago, the online security of banks was described to be the equivalent of putting the money in a carton box on the street (if you understand German: Here's a transcript [web.ard.de] as PDF).
After reading this story, I think the carton box would actually provide more safety.
It would. If you allow plastic bags, then the box could contain coffee grounds. This would be especially true if one has a few trial runs to convince the crooks that the box is worthless.
Re: (Score:2)
Re: (Score:3)
Not quite, in that with the UK system, those details only allow people to set up a Direct Debit, which can only be used for certain types of Consumer to Business payments, and are automatically refundable on the consumer end, but still makes it worth keeping your account number and sort code private.
Re: (Score:3)
Good luck trying to actually get that refund. The one time I did, I just got a run-around between the bank and the merchant (it was an ISP who had stopped providing service, but not stopped billing me and presumably other users). I only lost about 100 quid, so I didn't try too hard, but still, I lost most of my faith in direct debit from that incident.
Re: (Score:3)
Similar Donald Knuth [wikipedia.org] stopped issuing his reward checks [wikipedia.org] for finding errors in his books because people were so proud of receiving them that they posted pictures of the checks online. The information visible on the front of the check in some of the pictures was enough to enable someone to steal money from his bank account. The moral of the story? The entire banking system is mostly insecure.
I'm not sure that much has improved since the events depicted in the movie Catch Me If You Can [imdb.com] happened. It seems li
Re: (Score:3)
This hasn't been the case for at least 40 years.
Re: (Score:3)
I'm guessing they used the same security guys that wrote a similar front-door for Hotmail. (One of their earliest security holes was where you could swap your user ID for anyone else's. Including the system admin's.)
Re:Seriously, what the fuck! (Score:5, Insightful)
'broke in through the front door'
It was an unlatched SCREEN DOOR with a missing hinge!
I wouldn't consider it hacking even by the media's definition. It's akin to asking the teller for someone else's information, and coming back 200,000 times to do it again.
Whiskey
Tango
Foxtrot
Re:Seriously, what the fuck! (Score:5, Interesting)
Yeah...... this was not hacking. That word has been expanded entirely way too much in much the same way Schizophrenia was used a dump bucket for psychological disorders we just did not understand yet.
Hacking, even in this context, implies there was security to begin with.
This was not a SQL injection attack. If they were posting stuff in the URL bar then that means that Citigroup's website was programmed to take the $_GET (or whatever non-PHP equivalent) and just return the data.
No validation, or even a comparison against the user profile held in the session data? Seriously?
Everything we do is AJAX with JQuery. We authenticate a user and from that point on their user profile information is stored in the session. Every API call from that point forward passes their unique ID along with the action request (even just informational requests) that get validated by our own security processes at the API level, especially before a database call is made in the first place to return data from the appropriate database for that customer/process/application. We validate who you are, what you are accessing, and what rights have been assigned to you, before you get an XML/JSON response document back from us.
Anything else, is just unwise and unprofessional. By no means, am I or the people I work with superstars. This is just the basics of anybody that approaches a project with security first, application second mentality.
According to this article, Citigroup was just wide wide WIDE the $*$%(# open. It's not hacking when asking the "question" of the web server does not initiate authentication. Citigroup literally allowed anonymous requests for information by design .
I would not even prosecute the group. Seriously.... for what? Walking into a bakery where a mentally challenged person was just freely giving away cherry pies? Was it unethical to take advantage of the poor idiot and take the cherry pie when you know that normally it cost $5? Probably. Was it stealing? I don't think so.
If anything, there should be class action suit against Citigroup by all of the members for gross negligence. How ironic is it that huge groups like this, with tons of money (some of it stolen through mortgage fraud) pay hundreds of thousands or millions of dollars and get less value than a small time development group that charges 15k-20k for a small site ?
It's deliciously stupid that the biggest groups are programmed by morons, and that the smaller websites are actually programmed to be more secure.
I'd like to say I can't believe it, but I know too many stories where half million dollar websites are running on $50k worth of hardware, with IT budgets that allow judicious use of hookers and blow, and yet they can't program themselves out of a wet cardboard box, let alone prevent SQL injection attacks.
The wonderful stupidity....
Re: (Score:3)
visa vi -> vis-a-vis
accent on the "a"
http://www.merriam-webster.com/dictionary/vis-a-vis [merriam-webster.com]
Re: (Score:2)
You need the Mega Facepalm! [motivationalz.com]
Re:Seriously, what the fuck! (Score:5, Insightful)
And yet FTFA:
One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
He said: 'It would have been hard to prepare for this type of vulnerability.'
Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).
Re: (Score:3)
That so-called expert should be fired immediately for these two incredibly starter-level errors:
1. that was not a "vulnerability in the browser" at all.
2. any idiot worth his lines of code would have seen this type of vulnerability coming from a lightyear away.
Re: (Score:2)
... my comment is only valid if TFS is right about simply changing a parameter in the URL to access other accounts. No I didn't RTFA.
Re: (Score:2)
s/fined/arrested/g
Seriously. That is criminal negligence.
Re: (Score:3)
Re:Seriously, what the fuck! (Score:5, Funny)
And yet FTFA:
One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
He said: 'It would have been hard to prepare for this type of vulnerability.'
Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).
See, this is the real reason Firefox wants to get rid of the URL bar. Only hackers would directly enter a URL. Legitimate consumers will just follow the link to their account from their Facebook page.
Re: (Score:3, Funny)
You mean Google. Firefox just wants to do it because Google is doing it.
Re: (Score:3)
The surprise is that they tried this on a smart phone and failed to find the URL bar, so they assumed it was safe.
Re: (Score:3)
Re: (Score:2)
They call idiot an expert!? Holy shit.
Also Zuckerberg's high-speed-technobabble in The Social Network was meant only to show most viewers that he's supposed to be a computer genius. They have little or no idea what he's talking about. Someone with as little knowledge as this "expert" wouldn't have understood it.
Re:Seriously, what the fuck! (Score:5, Insightful)
There's a reason that "expert" is anonymous: it's a PR flunky that has to feed ass-covering statements to the press. Something for the masses who don't know any better to swallow.
Re:Seriously, what the fuck! (Score:5, Insightful)
Account numbers don't need to be secret. In fact, you hand them out when you write checks.
It's the access using the account number that has to be protected by more than "is the rest of the URI formatted correctly and does the browser have a cookie we issued to it?"
Hashing the account number (and other info) into an identifier in that cookie, then using that as the session ID, and only allowing access to that one account from that port until another session was authenticated on it, would be more proper.
It's not just the URI that is screwy, it's the whole lifecycle design of the session, and a failure to partition the data in any meaningful way.
Re: (Score:2)
Whoever made this should be forbidden from working with computers ever again. Is there any legal process that can do this?
Re: (Score:2)
This is literally unbelievable to me.
Re: (Score:3)
The register has a much better story:
http://www.theregister.co.uk/2011/06/14/citigroup_website_hack_simple/ [theregister.co.uk]
they actually point out how insanely insecure the setup was.
Re: (Score:3)
There is no facepalm big enough to express my feeling at that hack. I'm sure they paid good money to "security professionals" to set that up too.
The hack isn't as simple as you might think at first glance.
Sending the account number out in a URL is not that big of a deal in an SSL environment. (Not defending it, people looking over the users shoulder and all. It should have been an encrypted session string, or an encrypted cookie so that the user couldn't see how to alter it.).
But the ultimate problem here was accepting the altered URL without going thru re-validation, without asking for passwords again, etc.
It wasn't so much a hack as a simple (bu
Re: (Score:3)
It is a hack as incorrectly keeping state client-side is one of the trivial first things to look at when assessing web-application security. Absolute beginners mistake, but found surprisingly often in the wild. My guess is that the people creating these applications can barely program at all and have no clue where their session state is. But any halfway competent external pentest or security assessment would have found this very fast.
Seriously, who are these "security experts"? (Score:5, Insightful)
One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'
Are you *really* trying to label this as a browser vulnerability issue?
You're either *really* incompetent or paid very well to say shit like that.
Seriously... (Score:4, Insightful)
Heads need to roll for this one... Amazing. Words escape me.
Re: (Score:2)
I did something similar (Score:5, Interesting)
I did that at a bank I was working with. It was actually a hidden form variable with the institutions username/password, but grabbing that page before it auto-submitted allowed me to pull anyone's statement. I showed it to my manager, and eventually got a promotion out of it. :-)
Re:I did something similar (Score:5, Insightful)
Be thankful your manager wasn't a complete idiot; playing the odds, that would normally get you fired, arrested and pilloried...
Re:I did something similar (Score:5, Funny)
The part of the story aardwolf64's not explaining: The reason he got the promotion was not because of the obvious security problem but because of the payment to whipsandhandcuffs.com he found on his manager's statement.
Re: (Score:2)
Who else was disappointed when whipsandhandcuffs.com didn't resolve?
So stupid (Score:3)
Re: (Score:2)
I don't understand how this could happen to a bank with credit card data.
Didn't you read the summary? It's Citigroup. The guys who keep calling me to offer me a credit card despite me having repeatedly told them not to call me anymore and to remove me from their call list. Somehow they think calling me again will make me change my mind and give them business. I guess it's easy to do what you want when the federal government is willing to bail you out.
Re: (Score:2)
When the FDIC illegal seized WAMU, they ended up with my information. I cancelled my card immediately, but I have a feeling that they've probably retained my information, given that they weren't willing to take no for an answer.
Re: (Score:2)
fill out a complaint form with the FCC,
Yes, the FCC has jurisdiction outside the US. Guess where I live, dipshit. Global company. Global internet. Not everyone you talk to here is from your neighborhood, Billy-Bob. Blah blah blah blah typical Americentric rant blah blah.
Wow, that's negligence on their part (Score:2, Informative)
Dealing with credit card information I know for a fact that security implementation is 100% illegal if the allegations are true. Citibank will be fined hundreds of millions of dollars if they follow the law ($100,000 per incident). I mean base level security for this would be only allow that user access to that specific account. If they were able to simply change URL numbers to see other account holders info... wow... just wow.
Re: (Score:2)
you think citibank gives a flying fuck because..? (Score:2)
... for which they'll immediately pass the cost to their customers. Do you REALLY think it costs them two bucks to let you use other institutions' ATM? Do you really think it costs them fifty bucks to stop payment on a check? Until we're talking about serious jail time in the pound-me-in-the-ass prison for officers of the corporation, nothing will change. But knowing how congress critters in Washington are
Pathetic (Score:2)
Mind numbingly so.
Really makes me wonder wtf is up with some banks and their incompetence. I registered for online banking with my bank some time ago, and they only allow [a-z][A-z][0-9] for passwords. no ~!@#$%^&*(. In the 21st century. Shame.
Re: (Score:2)
Really makes me wonder wtf is up with some banks and their incompetence.
Too. Big. To Fail. There simply are no consequences anymore. Fines? OK we'll jack the fees. Losing money? Borrow it at 0% interest from the fed. Going bankrupt? Doesn't matter, the shareholders get wiped out and Uncle Sam will bail us out. Yeah we'll get fired, but we already have our multi-million dollar bonuses. We'll just work for another bank...
Re: (Score:2)
One thing puzzles me...
Password security is rated on difficulty, sure. But once you eliminate the dictionary search, you're down to brute force testing each key in turn.
[a-z][A-Z][0-9] = 62 values
[a-z][A-Z][0-9][~!#$%^&*(] = 71 values
So which of these increase the keyspace better...
pow(62, n) to pow(71, n)
or pow(62, n) to pow(62, n+1)
I suspect the answer is "n to n+1". To which the only limit is password size.
If you're arguing about "these keys are not common in passwords" as security, aren't you argu
If you don't know, ask. (Score:3, Insightful)
If you don't understand how a secure negotiation protocol (and the protocol for the session after the fact) works, admit it and either ask someone or read several books until you recognize that you should still go ask someone. I've read more than my fair share of crypto books and papers, but, being an application developer who does only trivial personal server-side development, you can be damned sure that I'd ask for help when working on a username/password system. This goes double if it involves banking.
That any session allows them to go digging around willy nilly is so unbelievably stupid, I can't even find the words.
WTF (Score:5, Insightful)
From TFA:
One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'
/epic facepalm
First, this is NOT a hard vulnerability to prepare for. If the only method of user authentication you are doing is based off a string of characters received from the URL your not even qualified to build an ecommerce site for some mom-and-pop 2-sales-a-week company, let alone a bank.
Second, why is this a surprise to this security "expert"? Anyone who has done development for a website with dynamic content would be familiar with passing information through the url. This is like web design 101. If I logged into my credit card account and saw my CC number in the URL bar the FIRST thing I would think of would be: "what would happen if I typed in another number in there." Security expert my ass, no wonder why some companies have this happen to them, look at the people they hire to test and investigate their systems!
/rant
Re: (Score:2)
It isn't like this a new type of attack either. Just look at people sharing pictures. If they post a bunch of pictures with default names you can very often just change the numbers to find more pictures, frequently ones they didn't intend to share for various often entertaining reasons.
Hell the first year of college I was able to do something like this. The class registration method was primitive and putting the wrong numbers in when registering would often register someone else for that class. They fix
Re: (Score:2)
It isn't like this a new type of attack either. Just look at people sharing pictures. If they post a bunch of pictures with default names you can very often just change the numbers to find more pictures, frequently ones they didn't intend to share for various often entertaining reasons.
I assume this is on Facebook?
Re:WTF (Score:4)
If I saw my CC or Account number in the URL bar...the first thing I would do is cancel my account and look for another service.
Lowest bidder? (Score:2, Funny)
This is what you get when important functions are written by people who do not have the slightest inkling of what network security is about. You can put loads of $$$ into planning and design into specifying authentication, and it all falls down because the grunt who actually does the work doesn't have a clue.
</NICE>
<REALISTIC>
Probably the grunt without a clue is the smartest guy over there.
Re: (Score:2)
+1 Insightful for both comments.
You have GOT to be shitting me (Score:3)
BTW, i'm logging into my WF account now (Score:2)
And they were deemed vital because... (Score:2)
It's a good thing our foresightful federal government nobly resisted the public in '08-'09 and wisely chose to bail out and backstop this vital financial instution, on whom we are so ever reliant for their irreplaceable expertise!
*jerk off gesture*
Daily Fail (Score:2)
Re: (Score:3)
It was a very simple attack.
sophisticated cyber criminals
I assume they mean the cyber criminals were wearing top hats and monocles, and using big words.
Secure hash? (Score:2)
Basic Security = Authentication + Authorization (Score:2)
This is a failure in programming (I'll stop short of calling the coders idiots, since I don't know what pressures and time constraints they were under) and testing (this should be caught within 10 minutes with a half-hearted Selenium script). The mistake they made: if user is authenticated, they belong, and everything gets happily processed. Pretty typical, especially for beginning programmers. They failed to check individual resources against what was being param'ed in.
I won't stop short... the coders were idiots (Score:4, Insightful)
It doesn't matter WHAT time or money constraints they were under. This is simply not something that would be acceptable out of somebody that codes for money. To call this a "beginners mistake" is an insult to Web Development 101 students everywhere. If you have to be TOLD that maintaining authentication to a secure website based on the contents of the URL bar is a bad idea, then you do not deserve to be coding for anybody. I haven't EVER coded a website (I haven't written anything longer than a ten-line shell script in 13 years) and I could have told you this was a mind-bogglingly stupid mistake. This is not 20/20 hindsight at work here... it really is that stupid.
Heads should roll, including the programmer(s) responsible for this travesty, and two levels of management above him/her. And the remaining employees in the department should all have to apply for their jobs again (by the new management team), as their suitability as programmers could not have been properly evaluated before if the original moron managed to keep his job longer than a week.
I'm actually willing to cut the testers some mild slack... maybe they chose not to test for the developer having the IQ of a turnip. (Just a little slack... a tester should NEVER assume the developer has the least clue what they are doing when figuring out what needs testing.)
Why Chrome is dropping the address bar.... (Score:3, Funny)
You have got to be kidding me... (Score:2)
What? I mean, WHAT? Teenie-bopper web developers, tired of having their Star Wars fansites hacked, stopped putting account info in GET strings back in the nineties! What kind of crap programmers... the mind boggles... What BANK would pay for such crap code, and what enterprise-class design team would make such a horrible mistake? This is not a cute little hack, it's a fundamental coding... no, design... no, sorry, CONCEPTUAL flaw.
Everyone involved with this project; design, management, QA, and most es
The "Expert" (Score:5, Insightful)
IF the article is correct about the nature of the vulnerability this quote is the single stupidest and most frightening things I have ever read on the internet.
Re: (Score:3)
IF the article is correct about the nature of the vulnerability this quote is the single stupidest and most frightening things I have ever read on the internet.
Give some benefit of the doubt. Keep in mind this is a New York Times article -- it is written in way that they feel should be understandable to any 8th grader in the country. Add onto that, that the reporter is almost certainly not understanding anything this guy has to say. Add onto that, this guy is actively working on the investigation, and he might not be willing or able to divulge any actual information. Add onto that that the New York Times readers (staff included) are generally outraged at the b
Apparently Citi isn't Too Big To Fail after all... (Score:3)
car analogy (Score:2)
Yes, the car is locked, but all the cars use the same key. It would have been hard to prepare for this type of vulnerability.
Re: (Score:3)
Yes, the car is locked, but all the cars use the same key. It would have been hard to prepare for this type of vulnerability.
I think you mean, the cars are all locked but unlocking one car, regardless of key, gives you access to all other cars.
Every user account has it's own credentials, it just happens that once you are authorized you are free to access every account, not just your own.
"Hard to prepare for" a simple GET injection?! (Score:2)
He said: 'It would have been hard to prepare for this type of vulnerability.'"
Really? They were passing a credit card account number in the clear through a GET parameter, without validating it against which session the page load was authenticated on, and
anyone with a citigroup account should be suing (Score:2)
This kind of negligence should be criminal.
Haha, who would ever leave such a vunerability? (Score:2)
Dear God....
$20 says that code was written by a contractor.. (Score:3)
Should CERT issue an advisory on outsourcing as a hot new attack vector?
OMFG (Score:5, Insightful)
"In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid-1980s was to worry about criminals being clever; we should rather have worried about our customers - the banks' system designers, implementers, and testers - being stupid."
Ross Anderson, "Security Engineering"
Too Big to Care (Score:3)
It's cheaper for Citigroup to spin its way out of this mess than for it to pay for real security. Because real security requires people with some sense throughout the chain with access to the organization. And that kind of person is a threat to the entire way of doing business that banks like Citigroup do it.
Remember that Citigroup is exactly the bank for which Senator Phil Gramm (R-TX) wrote the 1998 bank deregulation bill that left the global economy exposed to exactly the kind of collapse the 1934 regulations had protected us from since the last time the banks gave unregulated credit until they collapsed. They have learned from the 2008 Crash that they will be given only more money when they fail, so they don't work hard to avoid the risk. The kind of "moral hazard [wikipedia.org]" that banks use to excuse paying their insurance obligations, but which define their own businesses now.
Same vulnerability as Hotmail 10 years ago (Score:4, Insightful)
Man, what an opportunity I missed (Score:3)
All this time I've just been using that trick to get free porn.
Re: (Score:2)
Re:you have got to be kiddinbg me (Score:5, Informative)
Sending the account number out in a URL over SSL should not be that big of a hole.
(Ok, not smart, but the risk lies mostly in the person looking over the user's sholder).
The problem was allowing the change in the URL without going thru re-validation of credentials.
Apparently they set a session flag indicating that validation had been passed, and never bothered
to match that with the change in the account number.
Re:you have got to be kiddinbg me (Score:5, Informative)
Sending the account number out in a URL over SSL should not be that big of a hole
Exposing an internal ID in such fashion is not only foolish, but very much a beginner error. I would expect this from some half-assed forum software - not a bank. That said, I've worked for the government before, and seen the same stupid mistake repeated time and time again. A salted hash would have been a lot less idiotic. The fact that there was no authorization performed makes compounds the issue, however, and one wonder who these people hired to write their infrastructure.
Re: (Score:3, Funny)
Re:you have got to be kiddinbg me (Score:4, Insightful)
But "the lowest bidder" is the spirit of corporate America!
Obvisouly it is not that Citibank were criminal morons with absolut disregard about their customers, but that the attackers were sophisticate terrorists (and paedophyles, now that we are talking about it).
Re:you have got to be kidding me (Score:5, Insightful)
"Uh... yeah, I'd like to get the money from my account number +1... oh, that one's closed, how about my account number +2, nope, well then +3? Ah, yes, that one please... all the money, yes."
I don't bank with citigroup, and I certainly never will knowing how little effort they put into their security practices.
Re: (Score:3)
whatever step you are using to "verify" the id passed by the URL is what should be tracking this in the first place, by passing an ID in the url you only open things up for some other coder working on a different section of the system to use that ID without realizing it is not authenticated. unique short lived tokens already make this a solved problem, especially if every page loaded gets a new token as well and is only valid for actions connec
Re: (Score:2)
Something as simple as common fucking sense could have prevented this, no filters of any kind needed. He obviously allowed all users to log in with the same credentials at a lower level, and made it dead simple to switch users with a URL hack.
Re: (Score:2)
You are so cute, you think they keep logs.