On (15/06/11 12:34), Drsolly wrote: > Date: Wed, 15 Jun 2011 12:34:23 +0100 (BST) > From: Drsolly <[email protected]> > To: Robert Slade <[email protected]> > Cc: [email protected] > Subject: Re: [funsec] Citibank hacked by URL fuzzing? > > Here's how it works. > > Journo: "Are you a security expert?" > Village idiot: "Yes" > > Thus, the village idiot is now a securoty expert. > > On Tue, 14 Jun 2011, Robert Slade wrote: > > > Apparently, the intruders who breached Citibank tried putting different > > "account numbers into a string of text located in the browser?s address > > bar." > > > > http://nyti.ms/lNpNP3 > > > > Boy, account numbers in the URL. Now who could have guessed that bad guys > > would have tried messing with that? "The method is seemingly simple, but > > the fact that the thieves knew to focus on this particular vulnerability > > marks the Citigroup attack as especially ingenious, security experts said."
Could this be disinformation? Maybe the real vulnerability was even stupider, and corporate security decided to sacrifice a "security expert" to the inquiring mobs... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
