Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company's system by exploiting a garden-variety security hole in the company's website for credit card users, according to a report citing an unnamed security investigator.
The New York Times reported that the technique allowed the hackers to leapfrog from account to account on the Citi website by changing the numbers in the URLs that appeared after customers had entered valid usernames and passwords. The hackers wrote a script that automatically repeated the exercise tens of thousands of times, the NYT said in an article published Monday.
“Think of it as a mansion with a high-tech security system – that the front door wasn't locked tight,” reporters Nelson D. Schwartz and Eric Dash wrote.
The underlying vulnerability, known as an insecure direct object reference, is so common that it's included in the Top 10 Risks list compiled by the Open Web Application Security Project. It results when developers expose direct references to confidential account numbers instead of using substitute characters to ensure the account numbers are kept private.
“That's an easy attack to detect, and they just didn't do it,” Jeff Williams, the CEO of Aspect Security and the OWASP chair, told The Reg. “It's a really common flaw.”
In addition to rewriting apps so accounts are never referenced directly, Citi could have detected the hack attack as it was commenced by employing code that automatically reported users who repeatedly fed suspicious characters into website URLs.
A Citigroup spokesman told the NYT the breach was discovered in early May and “rectified immediately.” There was no mention of whether, or how often, the site was subjected to audits by outside security experts.
With the proliferation of high-profile attacks hitting Sony, RSA Security, Lockheed Martin and more than a dozen other companies in the past year, it's worth remembering that many exploited simple flaws that were easy to spot. For example, Albert Gonzalez, the hacker who stole data for hundreds of millions of credit card users, pierced the defenses of some of the world's biggest payment processors by wielding SQL-injection attacks that exploited simple flaws in web applications.
Latvian hackers did much the same thing against US brokerage D.A. Davidson in 2007.
Unfortunately, easy to detect or exploit doesn't necessarily mean inexpensive to fix, so many companies have little incentive to find and correct the bugs until it's too late.
The Citi hackers also took advantage of a flaw in the Java programming framework to access information stored in an Oracle database maintained by the bank, The Financial Times reported Tuesday. An unnamed investigator told the FT the situation was “alarming,” given the wide use of Java and the database software, which are both offered by Oracle.
US authorities are demanding information from Citigroup in the wake of the epic blunder, which exposed the names, account numbers, email addresses and transaction histories of more than 200,000 customers, the FT added. Here's hoping the officials make the Owasp top 10 list required reading for all Citi developers. ®