Feeds

Citigroup hack exploited easy-to-detect web flaw

Brute force attack exposes 200,000 accounts

High performance access to file storage

Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company's system by exploiting a garden-variety security hole in the company's website for credit card users, according to a report citing an unnamed security investigator.

The New York Times reported that the technique allowed the hackers to leapfrog from account to account on the Citi website by changing the numbers in the URLs that appeared after customers had entered valid usernames and passwords. The hackers wrote a script that automatically repeated the exercise tens of thousands of times, the NYT said in an article published Monday.

“Think of it as a mansion with a high-tech security system – that the front door wasn't locked tight,” reporters Nelson D. Schwartz and Eric Dash wrote.

The underlying vulnerability, known as an insecure direct object reference, is so common that it's included in the Top 10 Risks list compiled by the Open Web Application Security Project. It results when developers expose direct references to confidential account numbers instead of using substitute characters to ensure the account numbers are kept private.

“That's an easy attack to detect, and they just didn't do it,” Jeff Williams, the CEO of Aspect Security and the OWASP chair, told The Reg. “It's a really common flaw.”

In addition to rewriting apps so accounts are never referenced directly, Citi could have detected the hack attack as it was commenced by employing code that automatically reported users who repeatedly fed suspicious characters into website URLs.

A Citigroup spokesman told the NYT the breach was discovered in early May and “rectified immediately.” There was no mention of whether, or how often, the site was subjected to audits by outside security experts.

With the proliferation of high-profile attacks hitting Sony, RSA Security, Lockheed Martin and more than a dozen other companies in the past year, it's worth remembering that many exploited simple flaws that were easy to spot. For example, Albert Gonzalez, the hacker who stole data for hundreds of millions of credit card users, pierced the defenses of some of the world's biggest payment processors by wielding SQL-injection attacks that exploited simple flaws in web applications.

Latvian hackers did much the same thing against US brokerage D.A. Davidson in 2007.

Unfortunately, easy to detect or exploit doesn't necessarily mean inexpensive to fix, so many companies have little incentive to find and correct the bugs until it's too late.

The Citi hackers also took advantage of a flaw in the Java programming framework to access information stored in an Oracle database maintained by the bank, The Financial Times reported Tuesday. An unnamed investigator told the FT the situation was “alarming,” given the wide use of Java and the database software, which are both offered by Oracle.

US authorities are demanding information from Citigroup in the wake of the epic blunder, which exposed the names, account numbers, email addresses and transaction histories of more than 200,000 customers, the FT added. Here's hoping the officials make the Owasp top 10 list required reading for all Citi developers. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.