WHID 2007-78: A Brazilian banking site allows users to views receipts intended for others

IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.

Reported by Alexandre Sieira

Additional information:

• Unibanco tem brecha em sistema de comprovantes de transa??es online [IDG Now (Google Translate), Jan 29 2007]