Citigroup attack highlights insufficient authorization error

via Citigroup attack highlights insufficient authorization error:

Hackers logged onto a site reserved for credit card customers then inserted various account numbers into a string of text located in the browser’s address bar, according to a report in the New York Times, which cited anonymous sources close to the investigation. The cybercriminals repeated their actions, capturing the names, account numbers, email addresses and transaction histories of more than 200,000 Citigroup customers.

A client of mine had nearly that exact same vulnerability, except in this case, it allowed the user to log in through a URL with the last four digits of their social security number.  So by merely crafting a URL with a random 4-digit number, a hacker could gain authenticated access to untold numbers of accounts.

Happily, we discovered it before anyone else did, as far as we know.

Citigroup likely detected the flaw in its own analytics engine. A person monitoring analytics tools would see different spikes of anomalous user activity. An individual sending in 200,000 server requests should generate an alert, Grossman said. Further inspection of the logs would show that a person is conducting an attack by tweaking the URL.

Saved by the logs and SIEM!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s