funsec mailing list archives
Re: Citibank hacked by URL fuzzing?
From: James Triplett <jm-funsec () vj8 net>
Date: Wed, 15 Jun 2011 14:00:30 -0400
On (15/06/11 12:34), Drsolly wrote:
Date: Wed, 15 Jun 2011 12:34:23 +0100 (BST) From: Drsolly <drsollyp () drsolly com> To: Robert Slade <rmslade () shaw ca> Cc: funsec () linuxbox org Subject: Re: [funsec] Citibank hacked by URL fuzzing? Here's how it works. Journo: "Are you a security expert?" Village idiot: "Yes" Thus, the village idiot is now a securoty expert. On Tue, 14 Jun 2011, Robert Slade wrote:Apparently, the intruders who breached Citibank tried putting different "account numbers into a string of text located in the browser?s address bar." http://nyti.ms/lNpNP3 Boy, account numbers in the URL. Now who could have guessed that bad guys would have tried messing with that? "The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said."
Could this be disinformation? Maybe the real vulnerability was even stupider, and corporate security decided to sacrifice a "security expert" to the inquiring mobs... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Citibank hacked by URL fuzzing?, (continued)
- Re: Citibank hacked by URL fuzzing? Jeffrey Walton (Jun 14)
- Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 14)
- Re: Citibank hacked by URL fuzzing? Peter Kosinar (Jun 14)
- Re: Citibank hacked by URL fuzzing? RL Vaughn (Jun 14)
- Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 14)
- Re: Citibank hacked by URL fuzzing? Jeffrey Walton (Jun 14)
- Re: Citibank hacked by URL fuzzing? Peter Kosinar (Jun 14)
- Re: Citibank hacked by URL fuzzing? Drsolly (Jun 15)
- Re: Citibank hacked by URL fuzzing? security curmudgeon (Jun 15)
- Re: Citibank hacked by URL fuzzing? Drsolly (Jun 15)
- Re: Citibank hacked by URL fuzzing? Larry Seltzer (Jun 15)
- Re: Citibank hacked by URL fuzzing? Nick FitzGerald (Jun 15)
- Re: Citibank hacked by URL fuzzing? security curmudgeon (Jun 15)
- Re: Citibank hacked by URL fuzzing? James Triplett (Jun 15)
- Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 15)
- Re: Citibank hacked by URL fuzzing? Brance Amussen (Jun 15)
- Re: Citibank hacked by URL fuzzing? Valdis . Kletnieks (Jun 15)