Citigroup breached simply by changing a portion of the URL

By on June 16, 2011, 11:00 AM

Thousands of Citigroup's credit card customers saw their account information compromised last week, and all it took was a browser and changing a few numbers in the URL string after logging into a valid account. That's according to an unnamed security expert talking to The New York Times, but if true, it's an embarrassing oversight from Citi that highlights how careless or oblivious the company was when it came to securing their systems.

According to the report, attackers were able to penetrate the bank's defenses by first logging on to the site reserved for its credit card customers using a valid username and password. Once inside, since the website apparently failed to hide actual account numbers in the URL string, attackers simply used a script to change these numbers and automatically jump from account to account while harvesting any identifiable information.

This type of vulnerability is known as "Insecure Direct Object References" and it's so common that it ranks as the fourth most critical vulnerability on the Open Web Application Security Project's top ten list of security risks in 2010.

How they missed such a flaw and failed to notice a spike in web requests with bogus combinations of numbers is anyone's guess, but with hackers actively probing networks for weaknesses other companies better get ready.

Citigroup says that it first discovered the break-in at the beginning of May during a routine check. After internally analyzing the full extent of the breach the company began notifying customers and replacing credit cards in June. More than 360,000 customers were affected by the breach and credit cards have been reissued to 217,657 accounts.

User Comments: 12

Got something to say? Post a comment
gwailo247, TechSpot Chancellor, said:

Seriously? A credit card company? They haven't updated their security since 1996?

example1013 said:

So basically Citigroup got hacked by exploiting a vulnerability a chimp could take advantage of. I think we've crowned a new champ in the "most easily compromised info" contest so far for this year. Sony may have had passwords and such compromised by an SQL injection, but whoever hacked Citigroup was able to get credit card info by just typing random numbers. The hardest part of that hack would be opening up a bank account, but all that takes is $25.

Kibaruk Kibaruk, TechSpot Paladin, said:

It seems after Sony's hack fiasco a lot of people have noticed how poorly secured big companies really are and taking as much as they can.

Kralnor said:

stewi0001 said:

Epic Fail

Pretty much. That exploit is so simple that anyone could do it.

Guest said:

I guess I know where may anual fees...did go to..

Paying for a compentent developer.

matrix86 matrix86 said:

Wow...that's pretty sad. Wonder who was responsible for this one. LulzSec struck again yesterday, taking down (now THAT takes some serious guts) with a DDoS attack.

amybg said:

People go on about how everyday users should have strong internet security, but in this case it looks like Citigroup should have taken that suggestion a little more personally. Serious failure.

aj_the_kidd said:

Such a simple hack, there's really is not excuse

captaincranky captaincranky, TechSpot Addict, said:

I keep shredding the credit card applications Citigroup sends me. Now I know why.

taimuraly taimuraly said:

CitiGroup more like ShitiGroup. By the way don't secure sites have badges on top and bottom telling the users that the site is legit or can they too be hoaxed?

jonelsorel said:

Interesting.. I wonder what will happen when, after a few more big bank security breaches such as this one, people start getting the feeling that their money really isn't that safe in a bank..

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.