German Survey Company Loses 41,000 Survey Records

mister_woods writes "It's not just governments that lose private data. Germany's Chaos Computer Club (CCC) reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants. By simply changing the customer ID number in the browser's address bar access could be gained to comprehensive survey results, including names, addresses, dates of birth, email addresses, phone numbers and much more sensitive data. A CCC spokesman described this as 'unprofessional, grossly negligent and above all deeply worrying' and sees this loss as a vindication for its calls for strict regulations for public and private sector data collectors."

Horrible article title. Loses --- Exposes

[Noodles]

German Survey Company _Exposes_ 41,000 Survey Records would convey the real meaning of the article.

That's nothing

[Anonymous Coward]

I used to work at a web design agency a few years back. They had a single shopping cart system that they "re-used" (read: copy & pasted then altered to suit the site in question) for dozens of e-commerce sites. After processing an order, it would display the customer's entire details, including credit card information and billing address. Yes, it was vulnerable to this exact flaw. Increment/decrement the order number, and you get to see somebody else's details.

That's not the worst bit. The worst bit is when they "fixed" it. They did so by changing it to a POST request instead of a GET request, meaning the ID number didn't show up in the address bar. It was still just as vulnerable, it's just not as "discoverable" to the clients as it was before.

Posted AC because the company is sue-happy about former employees.

Not the worst I've seen...

[Anonymous Coward]

We recently left our CC processor (a major company, processing more than 10 billion a year). Their online CC terminal had this exact flaw. You can store customer info (CC, address, name, etc) and get a "customer ID" for that customer. Well... no checks in their system to assure that the "customer" was yours, so you could increment, decrement away and grab CC numbers to your hearts content (more than 25 million CCs in the system). You could even pass a random "customer id" to the billing portion of the system and bill a random person's CC, no checks in that part either.

When we alerted them to this flaw, they cut off our service and disabled all of our accounts and threatened to sue us for "hacking" their system. To this day I don't believe it is fixed.

Heartland payment systems is the company...

How many more cases?

[JayTech]

Last year Global Test Market (www.globaltestmarket.com) had a similar exploit, which I found; I was able to access anyone's account information, including their password via their ID. I reported it to their IT department, it took them almost a month to fix. Everyone single one of their client's data on that site was exposed, and do you think the company notified the clients? Nope. It was as if they could care less. They never even gave me a pat on the back or anything. It's a wonder stuff like this doesn't happen more often, so many companies placing profits ahead of security.

Re:So easy to fix

[Anonymous Coward]

String sUserId = request.getParameter("user_id");
int userId = 0;
try {
                userId = checkInt(userId);
                if (userId < 0) throw exception;
} catch (Exception e) {
                exit();
}
User user = (User)session.getParameter("current_user");
if (user.getId() != userId) {
                exit();
}

The first line of your try block just runs a checkInt() on integer 0. Perhaps you mean to be checking sUserId rather than userId? Even once that issue is fixed, I don't see how your code snippet helps anything. For someone trying to help out with a security problem, you don't seem to be proving yourself to be very competent. :p