Citigroup breached simply by changing a portion of the URL

[Jos]

Thousands of Citigroup's credit card customers saw their account information compromised last week, and all it took was a browser and changing a few numbers in the URL string after logging into a valid account. That's according to an unnamed security expert talking to The New York Times, but if true, it's an embarrassing oversight from Citi that highlights how careless or oblivious the company was when it came to securing their systems.

According to the report, attackers were able to penetrate the bank's defenses by first logging on to the site reserved for its credit card customers using a valid username and password. Once inside, since the website apparently failed to hide actual account numbers in the URL string, attackers simply used a script to change these numbers and automatically jump from account to account while harvesting any identifiable information.

This type of vulnerability is known as "Insecure Direct Object References" and it's so common that it ranks as the fourth most critical vulnerability on the Open Web Application Security Project's top ten list of security risks in 2010.

How they missed such a flaw and failed to notice a spike in web requests with bogus combinations of numbers is anyone's guess, but with hackers actively probing networks for weaknesses other companies better get ready.

Citigroup says that it first discovered the break-in at the beginning of May during a routine check. After internally analyzing the full extent of the breach the company began notifying customers and replacing credit cards in June. More than 360,000 customers were affected by the breach and credit cards have been reissued to 217,657 accounts.

Permalink to story.

https://www.techspot.com/news/44278-citigroup-breached-simply-by-changing-a-portion-of-the-url.html

 

[gwailo247]

Seriously? A credit card company? They haven't updated their security since 1996?

 

[example1013]

So basically Citigroup got hacked by exploiting a vulnerability a chimp could take advantage of. I think we've crowned a new champ in the "most easily compromised info" contest so far for this year. Sony may have had passwords and such compromised by an SQL injection, but whoever hacked Citigroup was able to get credit card info by just typing random numbers. The hardest part of that hack would be opening up a bank account, but all that takes is $25.

 

[stewi0001]

Epic Fail

 

[Kibaruk]

It seems after Sony's hack fiasco a lot of people have noticed how poorly secured big companies really are and taking as much as they can.

 

[Kralnor]

stewi0001 said:
Epic Fail

Pretty much. That exploit is so simple that anyone could do it.

 

[Guest]

I guess I know where may anual fees...did go to..
Paying for a compentent developer.

 

[matrix86]

Wow...that's pretty sad. Wonder who was responsible for this one. LulzSec struck again yesterday, taking down cia.gov (now THAT takes some serious guts) with a DDoS attack.

 

[amybg]

People go on about how everyday users should have strong internet security, but in this case it looks like Citigroup should have taken that suggestion a little more personally. Serious failure.

 

[aj_the_kidd]

Such a simple hack, there's really is not excuse

 

[captaincranky]

I keep shredding the credit card applications Citigroup sends me. Now I know why.

 

[taimuraly]

CitiGroup more like ShitiGroup. By the way don't secure sites have badges on top and bottom telling the users that the site is legit or can they too be hoaxed?

 

[jonelsorel]

Interesting.. I wonder what will happen when, after a few more big bank security breaches such as this one, people start getting the feeling that their money really isn't that safe in a bank..