For the past couple of days the big hack-of-the-month is the Citigroup credit-card data disclosure. Reading today in the NY Times, I was struck by this description:
Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.
The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
source: “Thieves Found Citigroup Site an Easy Entry” NYTimes June 14 2011
Read that methodology again. They had a program insert the account numbers into the browser address bar and retrieve account settings. This is not, to my mind, rocket science.
Let’s go look at some web addresses. Here’s one from Amazon:
Here is one from the National Weather Service:
And finally, here are several from the Roseberry Homestead:
http://www.roseberryhomestead.org/?p=224 http://www.roseberryhomestead.org/?p=2 http://www.roseberryhomestead.org/?p=523
Peruse the above links carefully. You should note something in common: the parameters being passed along to the websites. In each case, the website receives parameters from the user – the indicator being the “?” separator. For Amazon, it’s quite involved. The NWS is a bit easier to read, and for Roseberry, it’s a simple “p=” followed by a number.
Let’s “hack” Roseberry. Open a new browser (ctrl-n works). Now copy one of the Roseberry links and paste it into your new browser window – but change the number to 228. Thus your “hacked” link should read as this:
and then load this page. Compare its content to the page link you originally copied. Different content – it is a different page.
But why stop there? Let’s try “hacking” the National Weather Service. This one is a bit harder since you need to change one or more items in the URL; but it’s still readily doable. You do have to know a bit about how the NWS is organized, but it’s not like they hide this stuff.
Take the original URL above, copy and paste it into your browser, but then use the arrow keys or mouse, and replace the letters “PHI” with “MHX” – and then load the resulting page. Now go back and change “MHX” to “EAX” and “PNS” to “FLS”, and load the result. What you should get is the Flood Statement issued by the Kansas City weather office. What we’ve been changing is the issuing office value (PHI, MHX, RAH, EAX, OAX, etc) and the product type (PNS, FLS, AFD, etc).
Congratulations. You are now versed in the Citigroup hacking method, at least as described in most press accounts. Note how hard this was, and then go back and read that NY Times quote again.
This “vulnerability” is part of the original HTTP specification – it’s called the GET method. In the second part, I’ll, er, get into what methods are and why the GET exists, and how things could be done for better protection of valuable data.
ps – all links quoted herein are working as of time of authorship.