I am aware that this topic has been covered a million times already within testing circles. Apparently Citi didn't do their homework and put an account identifier in the URL after a user had logged in. Without any further authentication, anyone could simply change the identifier to access another user's account. You can read more about it here.
The NY Times spins this as sophistication on the part of the villains in this piece.
One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said. The security expert insisted on anonymity because the inquiry was at an early stage.
I love how things like this still happen. I tried to mentally defend the Citi folk by putting myself in their testers' position, thinking "hey, I could probably have overlooked a mistake like that as well - it's too simple, I'd probably begin testing something much more complex .." and so on. Also disregarding, of course, the fact that there were probably a whole group of testers involved in this, as well as audits by third parties etcetera.
The more I thought about it, though, the more I realize that no, no I wouldn't miss something like this. Even if I just spent a single test session on security testing, a flaw like this would be evident within the first five minutes. I hope so, at least, I really do - or I might as well hand in my keyboard and join the circus right now.
The other angle of this that is absolutely adorable is the alleged security experts who are interviewed by the NY Times.
The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
I think "ingenious" might be a strong word for this. Sure, if the number sequence isn't obviously a social security number or bank account number, it would require an ounce of imagination. An ounce. Didn't we do this to Hotmail accounts 15 years ago? Also no, it would not have been "hard to prepare for this type of vulnerability". If this isn't the first rule of handling accounts on the web, it should at least be among the top three.
Still, I love the whole thing. It bears witness of an innocence, a naïvité - as well as a fundamental conviction of refusing to learn anything from history that promises I will be able to find work as a tester for many years to come.
No comments:
Post a Comment