MP3 Players That Look Like Cassettes
Blue Man Group Showing Their True Colors?

Citibank security hole

(Mis)Uses of Technology

from the there-is-no-excuse-for-this dept

Sun, Oct 29th 2000 4:39pmDan Miller
As a Citibank credit card holder I often check my account statement online. In fact, I don't even get paper statements from them. I recently discovered a security hole in their system. Anyone can view transaction records of any account holder, without any password or username. Don't believe me? Click on this link. That's the monthly membership fee for my account with Citibank. There is absolutely no excuse for this type of security hole from any online site, much less a bank.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

5 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Greg Funk, 29 Oct 2000 @ 5:43pm

    Look closer...

    You should look closer at the URL. This is merely a way of posting information to the page (albeit a lame method). There is no account information related to you. You can confirm this by changing some of the parameters in the URL and getting new output. Try this:

    https://www.accountonline.com/CB/amount.jsp?POSTING_DATE=10%2F20%2F00&SALE_DATE=10%2F20%2F00&TR ANSACTION_TYPE_TEXT=ANONYMOUS+USAGE&REFERENCE_NUMBER=00000000&PERSON_NAME=&TRANSACTION_AMOUNT=1000.0 0&FOREIGN_CURRENCY=&MERCHANT_DESCRIPTION=ANONYMOUS+USAGE+OCT+00-SEP+01++++++++++++&SIC_DESCRIPTION=+ +++++++++++++++++++++++++++++++++++++++&STATEMENT_DATE=10%2F19%2F00

    Now this would all change if account number and any reference numbers were part of the URL passed.

    Greg

    link to this | view in thread ]

  2. identicon
    Dan Miller, 29 Oct 2000 @ 10:43pm

    Re: Look closer...

    You are right that it is a posting method. The point is not the stupidity of the URL formation, but that the fact that anyone could sit down at my computer, start to type the Citibank address and have the rest auto-filled in, including the URL with the transaction information. This is utterly stupid programming and a security hole, in my view.

    link to this | view in thread ]

  3. identicon
    mhh5, 29 Oct 2000 @ 11:10pm

    Re: Look closer...

    I hope you've reported that hole... But it's not an uncommon thing....

    link to this | view in thread ]

  4. identicon
    Ookami, 30 Oct 2000 @ 9:21am

    The URL is secure

       After playing with the URL you posted for a min or two I have determined that the only thing that could be potentially insecure about it is that someone could grab your account number. Using that URL though does not pose any security risk. The only place the information in that URL goes is into a script that formats whatever is in it. Thier database is not accessed. Check out my modification of the link here to see an example.

    Otakudo - The Way of the Nerd.

    link to this | view in thread ]

  5. identicon
    R.E.Norton, 30 Oct 2000 @ 9:23am

    Re: Look closer...

    Two things: You should not allow untrusted persons to access your PC. If this is not possible, use the Browser's feature to delete all history from the cache and the URL bar...

    link to this | view in thread ]


MP3 Players That Look Like Cassettes
Blue Man Group Showing Their True Colors?
Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

Friday

19:39 Important Announcement: Techdirt Is Migrating To A New Platform (0)
More arrow

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.