Predictable Resource Location

Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.

The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.

MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.

Additional information:

• Data Mining Myspace Bulletins [Full Disclosure Mailing List, Jun 30 2006]

Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.

Additional information:

Additional information:

• Advogato xss virus account [Bindshell, Sep 21 2002]

Sensitive files were left in a publicly accessible directory of a new web server install

Additional information:

• Travelocity exposes customer information [CNet, Jan 22 2001]

User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.

Additional information:

• Car shoppers' credit details exposed in bulk [Security Focus, Sep 25 2003]