Credential/Session Prediction

Joomla is a widely used open source content management system. Many administrators reports that a vulnerability announced August 12^th was immediately exploited by hackers to attack Joomla based web sites. Another report shows a specific site that was defaced by exploiting the same vulnerability.

This incident shows the importance of timely patching, but also brings back the age old debate around publication of vulnerabilities by researchers. Does it contribute to software security or just helps the hackers?

IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.

Reported by Alexandre Sieira

Additional information:

The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.

The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts.

Additional information:

The Web site of the Canadian passports authority enables users to access others' record by modifying a value of a parameter in the URI.

Additional information:

The site of "Big Brother", a reality show in Australia issued duplicate session IDs to different users since the session ID pool was exhausted. Naturally, the 2nd person to get the same session ID got to see all the details of the 1st one!

Additional information:

• Porn and privacy: Big Brother's big bother [The Age, Apr 23 2007]

A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.

Additional information:

A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim.

Additional information:

• Gmail bug [elhacker.net, Oct 18 2005]
• Google Downplays Gmail Security Fix [eWeek, Oct 18 2005]

Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.

Additional information:

• Vote Someone Else's Shares [Bruce Schneier, Nov 24 2005]

View other customers orders by changing a guessable number within a URL parameter

Additional information:

• Tower Records settles charges over hack attacks [Security Focus, Apr 21 2004]
• Tower Records site exposes data [CNet, Dec 5 2002]

Parameter tampering to jump into someone else's account data

Additional information:

• Hacker Tips Off B-School Applicants [The Crimson, Mar 3 2005]
• HBS/ApplyYourself Admit Status snafu [Personal Blog, Mar 2 2005]