CitigroupThe technique hackers used to break into Citigroup’s network last month was at once clever and simpler than security researchers expected, a report from the New York Times says.

According to the article, hackers were able to log onto a site used by the credit card company’s customers to gain access to their network and further their probe by inserting assorted account numbers into their browser’s URL bar. The code they used simply repeated the action thousands of times over and gathered the bank’s customers’ sensitive data.

“It would have been hard to prepare for this type of vulnerability,” said one security researcher in an interview citing the sophisticated nature of the attack. The anonymous researcher went on to question just how an attacker could’ve known that targeting the browser would be so successful.

The attack, discovered during a scheduled check in May, yet not disclosed until last Thursday, harvested the names, e-mail addresses and account numbers of 200,000 Citigroup customers.

Read more on this from the New York Times.

Categories: Data Breaches

Comments (6)

  1. Rob
    1

    Why is this considered clever or sophisticated? It’s one of the first things you try. I don’t place it any higher than script kiddy level.

    Rule 1: Never Trust The Client.

     

  2. Rob
    2

    Why is this considered clever or sophisticated? It’s one of the first things you try. I don’t place it any higher than script kiddy level.

    Rule 1: Never Trust The Client.

     

  3. Anonymous
    3

     

    This is definitely NOT sophisitcated. Nothing important like that should ever been in the URL. This is basic security knowledge any web app developer should know. In addition this really shouldn’t be stored on the user side at all. Account access should be maintained on the server side. Talk about horrible web security.

  4. Anonymous
    4

    This has got to be the quote of the year

    “It would have been hard to prepare for this type of vulnerability,” said one security researcher in an interview citing the sophisticated nature of the attack. The anonymous researcher went on to question just how an attacker could’ve known that targeting the browser would be so successful.

    Another APT I guess

  5. Anonymous
    5

    i’ve been using this technique with competitions, i should have gone for the big guys, haha

  6. Anonymous
    6

    Apparently bruteforcing via url post method is sophisticated and clever….  so stupid.  Wake up people, that’s script kiddy stuff.

Comments are closed.