SC Magazine reports that a security consultant who tipped off First State Superannuation to a web vulnerability that could potentially put millions of customers at risk of exposure, is now facing a legal demand to allow the company to access to his computer, and may be forced to pay the costs incurred to fix the flaw. A legal document sent from the fund administrator demanded that Patrick Webster, a customer of First State Superannuation and consultant at OSI Security, provide the company’s IT staff access to his computer. The company acknowledged in the document that Webster reported the flaw privately and in good faith, but warned he may have contravened the New South Wales Computer Crimes Act by accessing another customer’s data.
Webster used his account to view his own account information. He noted that the URL provided to gain access to the information contained a numerical component. He changed a single digit by one, and was presented with another customer’s sensitive information. This is known as a direct object vulnerability, and is one of the simplest flaws that can be exploited with no special tools or real cunning required.
I’m not sure what kind of crack they are serving their web-development teams in NSW, but man, that candy must be good! How is it possible that in this day and age, sensitive information remains so unprotected by a financial institution? How could they not be aware? It appears that access to information through the web interface may not even be logged by this company, as they can’t tell how many accounts the guy accessed, or whether or not others may have done so as well.
Just a reminder that no good deed goes unpunished.