Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.

The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.

We somehow missed this story so it finds its way to WHID only now in late 2007.

Additional information:

• Security flaw exposed in Cahoot bank accounts [Silicon.com, Oct 5 2004]
• Leader: Not another security scare [Silicon.com, Oct 5 2004]
• Cahoot hit by web security scare [BBC, Oct 5 2004]