While we have no public record of an exploit in this case, it seems that the mare discovery of vulnerabilities in sage new SaaS (software as a service) offering created so much damage to classify it as an incident.
Sage is the leading provider of accounting software in the UK and it was about to launch a trendy small business SaaS offering. However as ZDnet reports, serious security flaws were discovered in the public beta and the company has to call off the launch. Who discovered the issues? naturally the competition. Duane Jackson, the CEO of a tiny rival company reported them on his blog.
More than anything, the incident shows how difficult it is for developers to migrate from desktop software to a web based offering. This is a whole new ball game, and security is one of the more difficult issues to adjust to. On the other hand it also shows that on line services are much more exposed to scrutiny, which may result in better security down the line.
As for the technical details, the reports found that the following issues in the application:
Password displayed in clear text and sent in the request line.
Remember me is on by default on any login.
Access to management sections of the site and other users data.
Xiom is the place to find information about Web Application Firewalls (WAFs) including reviews, analysis, announcements and research. Tune to the RSS channel to get every bit of information or subscribe to the newsletter to receive only in depth articles.
Xiom also leasd and hosts the Web Hacking Incidents Database, a Web Application Security Consortium project aimed at maintaining a list of web applications related security incidents.
