Vulnerability Development mailing list archives
Re: Neato Bell Atlantic Feature
From: Marc Maiffret <marc () eeye com>
Date: Mon, 14 Aug 2000 11:55:22 +0100
Ryan and I were just discussing how we can't wait for voting to go online so we can write a white paper entitled "How I became president." Yes I agree that people should go check out their dmv, banks etc... and see if they are flawed but really I think half of the systems that are being forced online should just not be online period. Or at least customers should have a choice if they are going to have their information forced online or even if there is an online interface to a database that has their information on it. I remember when I signed up at a local bank and they gave me the option for online banking. I choose no but when I later checked out their site I saw it was connected to a back end system that had all bank customers so saying 'no I don't want your online banking' didn't really make me any safer. Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.349.9062 F.949.349.9538 http://eEye.com "Were entering an age where holding your own is not enough." | -----Original Message----- | From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of | Russell Berry | Sent: Monday, August 14, 2000 3:24 PM | To: VULN-DEV () SECURITYFOCUS COM | Subject: Re: Neato Bell Atlantic Feature | | | When I saw this I decided to do some investigating of other | websites. My bank, | and a few of my credit cards have online sites to access data. A | couple take | your social security number for a log in name. On at least one | site, I could | put in my social security number, and a b0gus password. Java | runs, and even | though it returns an invalid login, the souce of the script | running spews out | account information. Go figure. | | Stop looking at this as a toy to go play with, and start looking | for similar | breaches in the institutions you all use and warn them | accordingly. I fear | there is a LOT of this kind of vulnerability going around. | | Regards, | | Russell | | On 14-Aug-00 Seth Cohn wrote: | > Had someone in BA country check it out. Among other things, it returns | > name and address for a phone number and also a PUB notation. I | wonder if | > private numbers will also be listed... could be, looks like a db lookup. | > In which case, a autoscanner could compile a list of private numbers. :( | > | > Expect this to go away rsn. Too easy to abuse. | | Words to Live by... | Work like you don't need money, | Love like you've never been hurt, | Dance like nobody's watching. |
Current thread:
- Neato Bell Atlantic Feature J Edgar Hoover (Aug 13)
- Re: Neato Bell Atlantic Feature Chris Tresco (Aug 13)
- Re: Neato Bell Atlantic Feature Seth Cohn (Aug 14)
- Re: Neato Bell Atlantic Feature Russell Berry (Aug 14)
- Re: Neato Bell Atlantic Feature Marc Maiffret (Aug 14)
- Re: Neato Bell Atlantic Feature J Edgar Hoover (Aug 14)
- Re: Neato Bell Atlantic Feature Blue Boar (Aug 14)
- Re: Neato Bell Atlantic Feature Seth Cohn (Aug 14)
- Re: Neato Bell Atlantic Feature Chris Tresco (Aug 13)
- Re: Neato Bell Atlantic Feature Blue Boar (Aug 14)
- <Possible follow-ups>
- Re: Neato Bell Atlantic Feature Stephen Friedl (Aug 14)