BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Privacy Breach at Astratel (Australia)

From: lyger <lyger () attrition org>
Date: Fri, 31 Mar 2006 16:58:50 -0500 (EST)

http://australianit.news.com.au/articles/0,7204,18665780%5E15306%5E%5Enbv%5E,00.html

Andrew Colley
MARCH 31, 2006

A security hole in Sydney internet provider Astratel's LiveBilling online 
account management system has seriously compromised its customers' privacy.

Astratel customer Nick Adams notified the ISP after he discovered that he could 
view billing information and call records for other customers, by lodging their 
phone number into an online query form.

Mr Adams also demonstrated that non-Astratel member could access the 
compromised web query service by transplanting code from the page where it was 
located and placing it at an alternative web address.

"There's no security moving between the pure members section and this 
LiveBilling part of the web site. You can put anyone's phone number and you 
pull their call records and their account balance," Mr Adams said.

The link to the compromised billing service was still accessible until late 
today.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/
Previous By Date Next
Previous By Thread Next

Current thread: