Posted on 10/18/2011 3:50:08 PM PDT by LibWhacker
We've seen before that organizations don't seem to react well to outside security folks pointing out vulnerabilities in their systems. They very often take a "blame the messenger" approach -- as if pointing out a flaw suddenly makes that flaw come into existence. But one company seems to be taking it to another level. That Anonymous Coward points us to a story in which a security professional found a big and ridiculously obvious bug in the website of an Australian investment fund, First State Superannuation. Apparently you could see other people's accounts by merely changing the account numbers in the URL. Increase the number by one, and see the next user in line. This is the kind of extraordinarily basic mistake that I thought had been eradicated a decade ago. Apparently not.
But the company that runs the fund, Pillar, went quite crazy about this. While the company did fix the security hole, it also sent the police to interrogate the security researcher, Patrick Webster. Pillar also sent a letter to customers (pdf) in which it suggests that Webster created this massive security flaw, rather than their own dreadful programming:
It has come to our attention that a member of First State Super, who has online access to their account, devised a way to view an image of your statement.
And then, to add insult to injury, Pillar sent Webster a letter saying he broke the law, they were closing his account, and may seek money from him to fix the vulnerability:
Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, you actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.1 of the Criminal Code Act 1995 (Cth). You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police.
Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund's website. Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms.
[....]
In addition, the Trustee reserves its rights to require you to allow it's (sic) IT personnel to examine your computer during business hours to verify that all data and records on your computer have been destroyed or deleted.
In the meantime, the Trustee has suspended your online access to the Member Section of the Fund's website.
Yup. Help Pillar out, uncover a basic programming/security mistake that puts the info of tons of people at risk, and get punished. Pillar apparently prefers to have people never report any problems they find with its system at all, keep its head in the sand, and instead allow malicious hackers to run wild through a totally insecure system. Brilliant work.
No Good Deed.
However I 'fat-fingered-it' (mistyped it) and got a client for whom I should not be authorized to see.
To make matters worse, I merely copied the url for the site I should not have visited, then went into a different browser and was able to go directly to the confidential data.
I reported my access to the one person who could pass it up the line, and quickly learned that the top management would 'shoot the messenger' of anyone providing proof of their incompetence.
Apparently the director of Information Systems for this outfit just got a big raise, was spending a lot of money on changing the system, but really did not know what he was doing.
At the point, I decided to just keep my mouth shut. The little 'change the number on the url' trick works at a lot of webpages. It is not hacking, it is just being able to post the exact web address that the server is waiting to take care of.
As I said . . . No good deed.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.