Why is that security analyst acting like this was hard to do? I'm not a cracker and I am always looking at the URL. It would only have taken one out of Citi's millions of customers to notice the flaw or casually examine a potential flaw. It seems it was quite easy for the crackers to prepare to exploit this.<p><i>Once logged in to [the site reserved for Citi's credit card customers], they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar.<p>The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.<p>One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said. The security expert insisted on anonymity because the inquiry was at an early stage.</i>
What a stunning oversight. Relying on GET IDs to secure their customer financial data seems almost too amateur to believe. I imagine lawsuits are on the way.
If what the article says is actually true that simply changing account numbers in the URL allowed them to access other accounts, then I'm completely astounded.<p>Surely this is one of the first things a programmer learns. It's just basic security.