Disclosure Only

Update (Jan 26^th 2009) - an SC magazine article sheds more light on the incident revealing that there was actually a breach, apparently using SQL injection, which resulted in leakage of 10,000 credit card numbers

The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.

Additional information:

• Online Retailer Settles Charges That It Left Consumer Data Open To Hackers [Information Week, Jan 18 2008]
• FTC Wags Finger At Site For Weak Consumer Data Security [Storefront Backtack, Jan 18 2008]
• n the Matter of Life is good, Inc., a corporation, and Life is good Retail, Inc., a corporation. FTC Matter No. 072-3046 [Federal Trade Commission, Jan 17 2008]

IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.

Reported by Alexandre Sieira

Additional information:

The Web site of the Canadian passports authority enables users to access others' record by modifying a value of a parameter in the URI.

Additional information:

A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.

Additional information:

• TJMaxx XSS Vulnerability [RObert Hansen (Rsnake), Sep 23 2007]

Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.

The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.

I seldom add disclosures anymore to WHID, even less XSS disclosures, but since this time they were discovered in banking sites, I thought it was worth it. After all, too many times people think that application vulnerabilities are found only at less "serious" or less "important" web sites where no real damage can occur.

Additional information:

• XSS vulnerability on various german online banking sites [Full Disclosure, May 17 2007]

While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.

Additional information:

MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.

Additional information:

• Data Mining Myspace Bulletins [Full Disclosure Mailing List, Jun 30 2006]

An XSS vulnerability in the feature allowing adding an arbitrary RSS to personal web pages. Since this page resides on the main www.google.com host, the executed JavaScript can access any Google resource.

Additional information:

Altiris seems to have designed their servers so that it is easy to both access their customers upload as well as find out their e-mail addresses.

Additional information:

• Convenience or just bad design? [WebAppSec, Jul 12 2006]