If the information the NYT has received about the Citigroup breach is correct, and the intrusion was made possible by the exploitation of a vulnerability so frequent and common that it made OWASP’s top 10 web application risks list, one wonders how it is possible that the world’s largest financial services company hasn’t got security experts that would remedy it.
The flaw in question is called insecure direct object reference, and it happens when confidential information is exposed to users because developers did not have the good sense to hide it.
In Citigroup’s case, the URL for the website that appears after a user has successfully logged in with his username and password in the site reserved for credit card customers contained the user’s account number.
Once the attackers realized it – I’m guessing one of them probably had an account with Citigroup – it was only a matter of writing a script that would feed random numbers into the URL and every time it successfully accessed an account, the attackers harvested the information contained in it.
If that is true, there is another thing bugging me – why wasn’t this “bombarding” the site with requests with bogus combination of numbers over and over again not noticed by anyone? Why wasn’t there a mechanism in place that would get triggered by this kind of action?
But maybe, in this case, they couldn’t spot it? Maybe the script was written in such a way that the requests were random and spread over a great period of time? One would presume that the attackers would try to get as much information as possible in a short time before the attack was detected, but you never know.
All in all, can we now just stop calling it a “sophisticated attack”?