Twiddle id numbers in URLs for fun and profit

Twiddle id numbers in URLs for fun and profit

It seems Citibank is in the news this week with a really fun hole in their systems. According to reports, once you logged in, there was a URL like /user/1234, and you could change it to /user/2345, and it would Just Work. Brilliant!

This pattern is incredibly common. One time, I had a chance to try it. A brand new "customer portal" had just rolled out, and we had started receiving support tickets asking us to do this or that. One thing techs could do was log in to the customer's view of the portal, so I did that to help someone out one day. Up in my URL bar, I noticed something weird: ...com/something/else/blah=12345.

Now, at that point in time, I had been working on reporting tools and other things using the raw contact IDs in the ticketing system, so I knew quite a few of them by heart. I put in my own and hit enter. Sure enough, up came my full contact info, even though I was in someone else's account. I put in a really low number, for a tech who had been with the company for a long time. His data came up. Then I put in 1 and got "System Administrator".

This was hilarious. I found someone on the support floor who didn't have an employee-linked account, got them to log into the portal as themselves, and then did the trick. It worked. Soon a small crowd had gathered, and all of us second-shift types were having a good laugh at it.

Fortunately, it was early enough to where the folks who wrote the portal were still in the office, and I just strolled over to "report a massive security hole". Rather than just saying what it was, I said, here's how you reproduce it. As soon as I gave them the punchline, their eyes all bugged out and a whole lot of clickity-clicking started. I imagine it was fixed not long thereafter.

I'm sure this pattern will continue unabated, much to the joy of those who profit from such uses.