How Citigroup Hackers Easily Gained Access 371
Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."
I did something similar (Score:5, Interesting)
I did that at a bank I was working with. It was actually a hidden form variable with the institutions username/password, but grabbing that page before it auto-submitted allowed me to pull anyone's statement. I showed it to my manager, and eventually got a promotion out of it. :-)
Re:Seriously, what the fuck! (Score:5, Interesting)
Yeah...... this was not hacking. That word has been expanded entirely way too much in much the same way Schizophrenia was used a dump bucket for psychological disorders we just did not understand yet.
Hacking, even in this context, implies there was security to begin with.
This was not a SQL injection attack. If they were posting stuff in the URL bar then that means that Citigroup's website was programmed to take the $_GET (or whatever non-PHP equivalent) and just return the data.
No validation, or even a comparison against the user profile held in the session data? Seriously?
Everything we do is AJAX with JQuery. We authenticate a user and from that point on their user profile information is stored in the session. Every API call from that point forward passes their unique ID along with the action request (even just informational requests) that get validated by our own security processes at the API level, especially before a database call is made in the first place to return data from the appropriate database for that customer/process/application. We validate who you are, what you are accessing, and what rights have been assigned to you, before you get an XML/JSON response document back from us.
Anything else, is just unwise and unprofessional. By no means, am I or the people I work with superstars. This is just the basics of anybody that approaches a project with security first, application second mentality.
According to this article, Citigroup was just wide wide WIDE the $*$%(# open. It's not hacking when asking the "question" of the web server does not initiate authentication. Citigroup literally allowed anonymous requests for information by design .
I would not even prosecute the group. Seriously.... for what? Walking into a bakery where a mentally challenged person was just freely giving away cherry pies? Was it unethical to take advantage of the poor idiot and take the cherry pie when you know that normally it cost $5? Probably. Was it stealing? I don't think so.
If anything, there should be class action suit against Citigroup by all of the members for gross negligence. How ironic is it that huge groups like this, with tons of money (some of it stolen through mortgage fraud) pay hundreds of thousands or millions of dollars and get less value than a small time development group that charges 15k-20k for a small site ?
It's deliciously stupid that the biggest groups are programmed by morons, and that the smaller websites are actually programmed to be more secure.
I'd like to say I can't believe it, but I know too many stories where half million dollar websites are running on $50k worth of hardware, with IT budgets that allow judicious use of hookers and blow, and yet they can't program themselves out of a wet cardboard box, let alone prevent SQL injection attacks.
The wonderful stupidity....
Re:WTF (Score:2, Interesting)
Second, why is this a surprise to this security "expert"? Anyone who has done development for a website with dynamic content would be familiar with passing information through the url. This is like web design 101. If I logged into my credit card account and saw my CC number in the URL bar the FIRST thing I would think of would be: "what would happen if I typed in another number in there." Security expert my ass, no wonder why some companies have this happen to them, look at the people they hire to test and investigate their systems!
I made another comment about how awesomely stupid this is, but yeah. If you see your account number in the URL bar stop the service and find another company.
There should be NOTHING in the URL bar. NOTHING. Just the page. At most you should see www.demo.com/accounts
If you are actually going to be secure than a credit card number should passed in a secure AJAX call, where it gets encrypted first in JQuery, than passed to a php page server side, where it uses it's own API credentials to process the call fully, including security verification from the session AND passed data in the call, BEFORE returning a JSON document to the client side where it can do its job and update the page.
$_GET should be totally deprecated in its use. I take that back. We used it sometimes to reference the API function call we are making internally in the past. So it being used as a functional way to access different functions is okay. However, even that behavior should transition over to the XML docs containing the function being requested. Our systems currently support both for legacy applications.
$_GET is not secure. Period. Why? It is not just the rest of the world you are securing yourself against, but the USER AS WELL.