Twiddle id numbers in URLs for fun and profit
source link: http://rachelbythebay.com/w/2011/06/15/dataleak/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Twiddle id numbers in URLs for fun and profit
It seems Citibank is in the news this week with a really fun hole in their systems. According to reports, once you logged in, there was a URL like /user/1234, and you could change it to /user/2345, and it would Just Work. Brilliant!
This pattern is incredibly common. One time, I had a chance to try it. A brand new "customer portal" had just rolled out, and we had started receiving support tickets asking us to do this or that. One thing techs could do was log in to the customer's view of the portal, so I did that to help someone out one day. Up in my URL bar, I noticed something weird: ...com/something/else/blah=12345.
Now, at that point in time, I had been working on reporting tools and other things using the raw contact IDs in the ticketing system, so I knew quite a few of them by heart. I put in my own and hit enter. Sure enough, up came my full contact info, even though I was in someone else's account. I put in a really low number, for a tech who had been with the company for a long time. His data came up. Then I put in 1 and got "System Administrator".
This was hilarious. I found someone on the support floor who didn't have an employee-linked account, got them to log into the portal as themselves, and then did the trick. It worked. Soon a small crowd had gathered, and all of us second-shift types were having a good laugh at it.
Fortunately, it was early enough to where the folks who wrote the portal were still in the office, and I just strolled over to "report a massive security hole". Rather than just saying what it was, I said, here's how you reproduce it. As soon as I gave them the punchline, their eyes all bugged out and a whole lot of clickity-clicking started. I imagine it was fixed not long thereafter.
I'm sure this pattern will continue unabated, much to the joy of those who profit from such uses.
Recommend
-
13
Subclassing Module For Fun and Profit Posted on August 13, 2012 by solnic Blog
-
9
Exploiting Android Users for Fun and Profit 2015-08-09 (posted in blog) A Dark PastI’m going to tell you about some stuff I’ve done that I’m not particularly proud of. This happened...
-
5
Building data warehouses for fun and profit Jun 29, 2015 A data warehouse is a way of structuring a database so that it is easy to answer business questions about your data. In a traditional database model, it would be d...
-
10
Posted Jul 172020-07-16T15:40:00-05:00 by remotephone I saw this tweet which I thought was hilarious and I wanted to see what the binary did....
-
12
When in doubt, twiddle bytes in libc.so.5 Back in the fall of 2000, there was a nasty little security advisory in the klogd/syslogd pair which ran on ev...
-
9
Are you an experienced developer? Do you want to understand what all the fuss about functional programming is about? This site will introduce you to F# and s...
-
13
TheoriFollow...
-
12
Photo by Hannah Gibbs on Unsplash Extending Anvil for Fun a...
-
14
Backdooring Rust crates for fun and profit Wed, Nov 17, 2021 Supply chains attacks are all the rage these days, whether to deliver RATs, cryptocurrencies miners, or credential stealers. In Rust, pack...
-
6
Topi Kettunen Fragmented essay on computer science and art FreeBSD jails for fun and profit...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK