Yani's On Your Lawn

The Constant Battle Between New Media and Old

The White Hat Versus The Big Bad Bank

In the realm of network security you have two (it’s more complicated than that, but that’s not the point here) possible types of hackers, the black hats and the white hats. Black and white like the black knight and the white knight, evil and good. The black hat hackers are trying to break into your network for personal gain, whether it is monetary gain, notoriety, or just to be a PITA. The white hats are the other side of the coin; they’re trying to break into your network in order to tell you what’s wrong with it so you can fire your entire IT department, hire someone competent, and fix it. 

Today’s story is about a white hat trying to do good and the big bad bank that just doesn’t get it. Patrick Webster, a well regarded security expert from Australia, was checking his account on First State Superannuation and noticed a security flaw, and by flaw I mean a huge mistake that even greenest IT drone could detect. He noticed that his account number was in the URL and all he had to do was change the last digit and he could see someone else’s account.

Ok, let me give you an idea of how basic this is.  We used to do this 5 years ago to hack Photobucket accounts, and I use the term hack very loosely, because I’m at several orders of magnitude below even a script kiddies. If someone’s picture URL ended with img_591.jpg, all you had to was change the 1 to a 2 and you had a great chance of seeing another picture. Photobucket caught wind of this pretty quickly and changed the URLs to randomly generated codes. Problem solved.

You’d think a large financial institute with what I assume is a large, well educated security department would know about this very basic security flaw, right? But I digress.

When Webster notified FSS about the flaw, they fixed the problem within 24 hours and even thanked him. End of story?  Not quite. Risky Biz, with an awesome use of a direct reference object URL, brings us the full scoop here.

"The annoying part is that I contacted First State straight up. I gave them my number, email... and full details in my email including LinkedIn and they called the cops," Webster said.”

Yea, they called the cops on him. He uncovered a major flaw, a total lack of security in their system. He didn’t circumvent any security, because you can’t circumvent what doesn’t exist. I’m sure charges, if any were pressed, will be dropped because they obviously don’t have any case against Webster. The proper response here is to apologize to Webster, notify EVERY account holder of the error, and possibly even compensate Webster for doing their job for them. And yes, notify EVERY account holders because I assure you that Webster wasn’t the first person to notice this very basic hole, he was just the first one to be decent enough to notify them.

The lesson here kids? 

Direct-object URL on your blog = Good

Direct-object URL on your bank account = BAD