Okay, I'll bite.
Apparently, the intruders who breached Citibank tried putting different
"account numbers into a string of text located in the browser’s address
bar."
http://nyti.ms/lNpNP3
Boy, account numbers in the URL. Now who could have guessed that bad
guys would have tried messing with that? "The method is seemingly
simple, but the fact that the thieves knew to focus on this particular
vulnerability marks the Citigroup attack as especially ingenious,
security experts said."
Okay, my English must be rusty. I always thought the proper spelling was
"i-n-g-e-n-U-o-u-s".
The fun actually continues in next paragraph:
===
One security expert familiar with the investigation wondered how the
hackers could have known to breach security by focusing on the
vulnerability in the browser. “It would have been hard to prepare for this
type of vulnerability,” he said. The security expert insisted on anonymity
because the inquiry was at an early stage.
===
The quoted sentence contains an extra "for"; unless there is something
more behind the scenes, it's probably the most obvious attack vector one
can think of.
Peter
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
