Insufficient Authorization

While we have no public record of an exploit in this case, it seems that the mare discovery of vulnerabilities in sage new SaaS (software as a service) offering created so much damage to classify it as an incident.

Sage is the leading provider of accounting software in the UK and it was about to launch a trendy small business SaaS offering. However as ZDnet reports, serious security flaws were discovered in the public beta and the company has to call off the launch. Who discovered the issues? naturally the competition. Duane Jackson, the CEO of a tiny rival company reported them on his blog.

More than anything, the incident shows how difficult it is for developers to migrate from desktop software to a web based offering. This is a whole new ball game, and security is one of the more difficult issues to adjust to. On the other hand it also shows that on line services are much more exposed to scrutiny, which may result in better security down the line.

As for the technical details, the reports found that the following issues in the application:

• Password displayed in clear text and sent in the request line.
• Remember me is on by default on any login.
  
• Access to management sections of the site and other users data.
  

MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.

Additional information:

• Data Mining Myspace Bulletins [Full Disclosure Mailing List, Jun 30 2006]

Altiris seems to have designed their servers so that it is easy to both access their customers upload as well as find out their e-mail addresses.

Additional information:

• Convenience or just bad design? [WebAppSec, Jul 12 2006]

Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.

Additional information:

Additional information:

• Advogato xss virus account [Bindshell, Sep 21 2002]

Previously moderated weather announcements could be changed by the user

Additional information:

• Pranksters bedevil TV weather announcment system [Security Focus, Mar 4 2004]

Additional information:

• Indian SATs results leaking [Blog talkback, Mar 10 2005]

Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.

Additional information:

• Xoops web site hacked [Vendor Web Site, Oct 28 2005]

Business wire allowed access to non published press releases.

Additional information:

• SEC Vs. The Estonian Spiders [Web Pro News, Nov 2 2005]

View other customers orders by changing a sequential number within a URL parameter

Additional information:

• Victoria's Secret Reveals Too Much [CBS News, Oct 22 2003]
• Victoria's Secret reveals far too much [iAfrica, Oct 24 2003]