Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Neato Bell Atlantic Feature

From: Marc Maiffret <marc () eeye com>
Date: Mon, 14 Aug 2000 11:55:22 +0100
Ryan and I were just discussing how we can't wait for voting to go online so
we can write a white paper entitled "How I became president."

Yes I agree that people should go check out their dmv, banks etc... and see
if they are flawed but really I think half of the systems that are being
forced online should just not be online period. Or at least customers should
have a choice if they are going to have their information forced online or
even if there is an online interface to a database that has their
information on it.

I remember when I signed up at a local bank and they gave me the option for
online banking. I choose no but when I later checked out their site I saw it
was connected to a back end system that had all bank customers so saying 'no
I don't want your online banking' didn't really make me any safer.

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com

"Were entering an age where holding your own is not enough."

| -----Original Message-----
| From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
| Russell Berry
| Sent: Monday, August 14, 2000 3:24 PM
| To: VULN-DEV () SECURITYFOCUS COM
| Subject: Re: Neato Bell Atlantic Feature
|
|
| When I saw this I decided to do some investigating of other
| websites.  My bank,
| and a few of my credit cards have online sites to access data.  A
| couple take
| your social security number for a log in name.  On at least one
| site, I could
| put in my social security number, and a b0gus password.  Java
| runs, and even
| though it returns an invalid login, the souce of the script
| running spews out
| account information.  Go figure.
|
| Stop looking at this as a toy to go play with, and start looking
| for similar
| breaches in the institutions you all use and warn them
| accordingly.  I fear
| there is a LOT of this kind of vulnerability going around.
|
| Regards,
|
| Russell
|
| On 14-Aug-00 Seth Cohn wrote:
| > Had someone in BA country check it out.  Among other things, it returns
| > name and address for a phone number and also a PUB notation.  I
| wonder if
| > private numbers will also be listed... could be, looks like a db lookup.
| > In which case, a autoscanner could compile a list of private numbers. :(
| >
| > Expect this to go away rsn.  Too easy to abuse.
|
| Words to Live by...
|         Work like you don't need money,
|         Love like you've never been hurt,
|         Dance like nobody's watching.
|
Previous By Date Next
Previous By Thread Next

Current thread: