Forgot your password?
typodupeerror
Privacy Data Storage Databases Programming Software IT Your Rights Online

German Survey Company Loses 41,000 Survey Records 122

Posted by timothy
from the entschuldigen-bitte dept.
mister_woods writes "It's not just governments that lose private data. Germany's Chaos Computer Club (CCC) reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants. By simply changing the customer ID number in the browser's address bar access could be gained to comprehensive survey results, including names, addresses, dates of birth, email addresses, phone numbers and much more sensitive data. A CCC spokesman described this as 'unprofessional, grossly negligent and above all deeply worrying' and sees this loss as a vindication for its calls for strict regulations for public and private sector data collectors."
This discussion has been archived. No new comments can be posted.

German Survey Company Loses 41,000 Survey Records

Comments Filter:
  • How pathetic (Score:3, Insightful)

    by Darkness404 (1287218) on Sunday July 06, 2008 @10:26PM (#24079557)
    How pathetic that these are the very sites that they make you have some ultra-secure password for because there is so much personal information on it and may even boast that the servers are stored in some nuclear bunker and mirrored in every country but yet they can't even enforce decent security on the site itself.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I can get my f'ing medical records over the phone with 1/8th the information i need to even pay my f'ing cell phone bill.

    • by omeomi (675045) on Monday July 07, 2008 @12:05AM (#24080165) Homepage
      Well, I certainly won't be completing any more German surveys...
      • Re: (Score:3, Interesting)

        by Opportunist (166417)

        Wrong. You can still complete any surveys you want.

        Just fill in wrong info. There's only one thing worse than having no information for a data collector: Being unable to discriminate between good and bogus data. It poisons your whole data pool.

  • by inotocracy (762166) on Sunday July 06, 2008 @10:30PM (#24079587) Homepage
    When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note [attrition.org].
    • by Hal_Porter (817932) on Sunday July 06, 2008 @11:01PM (#24079781)

      What are you worried about? It's just bits. Information wants to be free. It's not like you own it or anything. Complaining about it being posted on the net will just lead to the Streisand Effect.

      Everyone knows that security through obscurity is a bad model. In the Web 2.0 world the only sustainable business model is to make your Social Security number public and sell support on people who want to use it. E.g. if some dude in Nigeria is trying to apply for a credit card in your name he might get asked about your postal address and secret codeword. You could make a few bucks if you gave him the information, more if you applied for the credit card for him yourself.

      And don't try to encrypt stuff. Studies show that 95% of Nigerian phishers want DRM free personal information.

    • by jlarocco (851450) on Sunday July 06, 2008 @11:42PM (#24080009) Homepage

      When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note.

      Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up. If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy. A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.

      • A large fine might help a bit with their security practices and prevent some of these incidents. Sure, there will still be accidents like these, but they may be further apart and less severe. Its pretty common to read about some employee losing a laptop, or tape drives containing large amounts of private information.

        If they had stricter policies about data leaving the compound, or at least encrypting whatever media its on, a lot of this stuff could be avoided. There is no reason for companies to take thi
        • by jlarocco (851450)

          There is no reason for companies to take this too seriously since they can just say "my bad" and its business as usual again.

          You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be? You wouldn't give your car keys to a known car thief, so why will you give your private data (and money) to a company with a h

          • Re: (Score:1, Insightful)

            by Anonymous Coward

            You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be?

            It's you who 'doesn't get it'. Virtually all such companies appear to be equally careless with their customer information. And the 'full disclosure' of such data losses, which would be required if you were to have any chance of punishing the 'bad' companies

            • by jlarocco (851450)

              As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better.

              Oh shut the fuck up. Nobody is forcing you to buy stuff. Like this survey company goes around, holding people at gunpoint, telling them to give out their private info and take a survey? Give me a fucking break.

              Can you provide even a single example where you simply *had* to buy some product or service from a company with poor data security.

              • by Nursie (632944)

                Yup, the government. You're forced to give them data and they keep losing it. Other than that I'd like to ask how it is that you can know in advance which company is going to lose your data?

                It's only your responsibility to keep your details secure if you have prior knowledge of what's going to happen to them. This is one reason why there should be legal protections.

                Another is that companies will often change their behaviour for the worse, especially in times of financial difficulty. There need to be legal p

              • by AlecC (512609)

                Most of the recent data losses in the UK have involved government data. One was for the agency paying support to poor families - they *need* that money and cannot go elsewhere. Another was the Army recruitment department: if you want to join the Army, there isn't another one you can choose because this one had poor data security.

                • by jlarocco (851450)

                  The government keeps screwing up and losing your data, and your solution is MORE government? Besides that, where do you think the government is going to get money to pay those fines?

            • by mpe (36238)
              It's you who 'doesn't get it'. Virtually all such companies appear to be equally careless with their customer information. And the 'full disclosure' of such data losses, which would be required if you were to have any chance of punishing the 'bad' companies does not exist.

              It may even lead to those companies who are best at hiding it to appear to be the best.

              As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better.
          • You wouldn't give your car keys to a known car thief

            But you would give your car keys to the garage who's servicing the car. If they fail to secure the keys properly and someone steals your car then why shouldn't the garage be held responsible?

            • by jlarocco (851450)

              But you would give your car keys to the garage who's servicing the car. If they fail to secure the keys properly and someone steals your car then why shouldn't the garage be held responsible?

              Would you have even taken your car there in the first place if you knew they had a history of having cars stolen out of the garage?

              • Would you have even taken your car there in the first place if you knew they had a history of having cars stolen out of the garage?

                Most of the organisations who are losing data _don't_ have a history of losing data - there are just an awful lot of separate companies that have got crap security procedures which are being publicised for the first time.

                Short of performing a full security audit on any company you hand any data to (clearly not feasible), what can you do? I certainly don't have a crystal ball th

                • by jlarocco (851450)

                  Most of the organisations who are losing data _don't_ have a history of losing data - there are just an awful lot of separate companies that have got crap security procedures which are being publicised for the first time.

                  Do you know why? It's because companies that lose data are never punished. Of the hundreds of data loss stories you've seen, how many of the companies involved have ever gone out of business because of it? How many have ever lost a significant portion of their customers? Why would a c

                  • Do you know why? It's because companies that lose data are never punished.

                    You seem to be changing your argument - you originally argued that companies shouldn't be fined because it is the data owner's responsibility to make sure the organisations they give the data to have good security practices. My argument was that finding out how good an organisation's security is before an incident occurs isn't really feasible for most people. You now seem to have changed to being pro-punishment, and thus now support

                    • by jlarocco (851450)

                      You now seem to have changed to being pro-punishment, and thus now support my side of the debate - so which is it?

                      The argument I've been making all along is that consumers should punish the offending companies by driving them out of business. I'm specifically arguing against the government getting involved in these cases because it shouldn't be necessary, limits freedom, wastes tax dollars, and encourages people to be irresponsible with their own data.

                      If consumers do what's in their best interest and a

                    • Are you really this dense?

                      Is your argument really that insubstantial that you have to resort to hurling insults?

                      It's exactly the same idea if consumers drive the companies out of business for losing data, but without "big brother" looking out for everybody.

                      But that's just never going to happen - the majority of people are never going to consider the security of their data. Those of us who do care about security should not have to rely on everyone else to punish these organisations. The government's job is

                    • by jlarocco (851450)

                      Is your argument really that insubstantial that you have to resort to hurling insults?

                      Well, when I explain it half a dozen times, and you still don't seem to understand, I really have to wonder.

                      But that's just never going to happen - the majority of people are never going to consider the security of their data. Those of us who do care about security should not have to rely on everyone else to punish these organisations. The government's job is to protect people, or do you subscribe to the idea that we sh

                    • Is the government not supposed to represent the people anymore? If it's as you say, and people don't care about the privacy of their data, the government shouldn't care either.

                      As well as respecting the majority's wishes, the government is required to protect minority groups too... I guess the people who give a damn about their data security are a minority group.

                      Also, whilst the majority of people don't seem to give a damn about protecting their data themselves, they are going to give a damn when it is used

                    • by jlarocco (851450)

                      We're not talking about protecting people from themselves - we're talking about protecting people from organisations with poor security.

                      No... guess who *CHOOSES* to do business with organisations that have poor security? If you want a government babysitter, move to China. Everybody else here is happy with their freedom to do business with whomever they choose.

                      As I have repeatedly said before, very few of these companies have a *history* of data loss - there are just a lot of companies having a single i

          • by ultranova (717540)

            It's our responsibility as consumers to punish companies that lose our's and other people's data by no longer doing business with them. We don't need the government looking over everybody's shoulder making sure we're all being treated okay. Believe it or not, it's up to us to look out for ourselves sometimes!

            I don't know if you realize this, but in a democracy, the government is us. It is our servant, created for the specific purposes of dealing with antisocial behaviour and looking after us. It is perfect

            • by jlarocco (851450)

              I don't know if you realize this, but in a democracy, the government is us. It is our servant, created for the specific purposes of dealing with antisocial behaviour and looking after us. It is perfectly valid to delegate the task of dealing with companies and forcing them to behave to the government.

              You want the government to punish companies? But we are the government? So we are going to punish the companies? But we can't punish them by boycotting, driving them out of business and letting a responsib

      • Then again, a fine won't help much because the people responsible wouldn't pay it, they'd just move to another company after this one went bust.

        What's needed is a short stay in prison for the CEO responsible for overseeing the project.

        A couple of convictions would see every company in the country take their data offline until some real security consultants were consulted.

        • by AlecC (512609)

          That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression. Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.

          • by drinkypoo (153816)

            That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression.

            If the bank is that fragile it's doomed anyway. He could also get hit by a bus.

            Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.

            It's about the smartest thing we could do in the USA, but we'd have to put the whole fucking cabinet in there with him.

            • by AlecC (512609)

              That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression.

              If the bank is that fragile it's doomed anyway. He could also get hit by a bus.

              Getting hit by a bus does not imply criminality. It is the implication that the organisation has had a crook at its head which does the harm, not the departure of any single individual. Bankers work very hard to look respectable, hence the marble foyers and double breasted suits (not both worn at the same time).

              Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.

              It's about the smartest thing we could do in the USA, but we'd have to put the whole fucking cabinet in there with him.

              Far be it from me to disagree..

      • by neumayr (819083)
        In this case, "driving them out of business" might be a little harder than you might imagine - they're a huge company with 14k employees in 70 countries, and their customers are governments, companies and press agencies.
        Those people whose data they lost are not their customers, and even if they were - 5 minutes/hours/days of research wouldn't have helped them, as this security leak was not published before and they don't have a history of (published) data loss.
      • by maguz (451672)

        Financial punishment imposed by government would be a good indication for the public as well that the particular company screwed up. The bigger the sum, the better headlines.

        Many areas of technology are strictly regulated. Are there any specific obstacles in information technology area for having such regulations?

      • Joe Sixpack would not recognize a privacy issue if it was dancing on a table, wearing a pink tutu and singing "Privacy issues are here again.". Most people would not even know where to start looking for companies' track records on data safety. Most people simply look at cost (and maybe direct value) of the products they want.

        A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.

        Yes, it would lead to increased pricing, which would drive customers to other companies. Exactly what one wants.

      • by ubrgeek (679399)
        The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.

        Let me know how that works out for you. Companies that provide/are supposed to protect medical history? Companies that provide/are supposed to protect medical history? Not likely to happen. The only way - and you can be sure that, regardless of the country in which this stuff happens this won't become required - to make a dent in this stuff is to mandate prison tim
      • by Tikkun (992269)

        Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.

        Just like how consumers don't buy gas from Exxon-Mobile anymore after they spilled lots of oil in Alaska.

      • If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy.

        These are the same consumers who tolerate IE. When have lowered the barriers to entry such that the markets are broken. I don't know the answer, but the problem is obvious to anyone other than the layman.

      • The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.

        A good number of the data leaks/thefts have happened at companies that rarely, if ever, deal with the people whose info they've lost (data resellers, information storehouses/providers, etc). How does someone who's had their information "misplaced" stop supporting a company they've never done business with in the first place?

        • by jlarocco (851450)

          Maybe by not doing business with companies that do business with them?

          • I hope you don't want a mortgage (or any other financial service), then. Or vote. Or have any account with just about any company.

            I wouldn't say it's impossible to not do business with companies that sell your information, but it's as close as you get in the real world. You also have to take into account all the public records that go into these databases. While public and not all-encompassing on their own, combined together they can paint a pretty good picture of who you are.

      • And how exactly am I supposed to find out about a company's poor privacy practices?

        My bank has twice now sent me notices in the mail about security breaches at some vendor with whom I have transacted. Unfortunately the bank does not tell me who the vendor is so I may avoid them in the future.

        It's really sad that the identify theft situation has gotten so out of control when there's an extremely simple fix. If an institution does not properly check someone's identity (by an in-person visit with govern

        • by jlarocco (851450)

          My bank has twice now sent me notices in the mail about security breaches at some vendor with whom I have transacted. Unfortunately the bank does not tell me who the vendor is so I may avoid them in the future.

          Well what do both of the companies have in common? They're both contractors for the bank that you're still using, despite their using contractors with shit privacy practices.

          I'm aware that it's a pain in the ass, but if individuals won't put in the effort to safegaurd their own information, why s

    • by Rakishi (759894) on Sunday July 06, 2008 @11:48PM (#24080051)

      Well the amount of data leaks would suddenly drop since companies would suddenly overlook it when data goes missing. After all they thought it was an empty hard drive and they'd be just as confused as everyone else when it turned out differently. In other words they'd simply not report them because reporting them would automatically give them a fine. So consumers get screwed in the end because they don't even get alerted when their data is stolen.

      • by Sky Cry (872584)
        So make any unreported leaks fined by a considerably greater amount, once uncovered.
        • by OzoneLad (899155)

          So make any unreported leaks fined by a considerably greater amount, once uncovered.

          This will just turn into another exercise in cost/benefits analysis for them. If they figure they'll get caught one time out of twenty and that the fine for non-disclosure is ten times larger than the normal fine, they'll opt for being sneaky bastards every single time.

    • Apart from certain areas (possibly medical records) there aren't statutory fines, but companies can be held liable if through their negligence something bad actually happens. To reduce the chance of that happening, many spend money on pro-active measures immediately after a leak, which is in some ways a "fine", in that it costs them money, and so they rationally would like to avoid it happening. For example, after a former university of mine misplaced a bunch of records, they paid for two years of identity-

    • by Joker1980 (891225)
      Its been said before, $1 million fine per piece of personal data lost, it would stop being collected by the end of the week.
  • Not "Lost" (Score:5, Insightful)

    by mrroot (543673) on Sunday July 06, 2008 @10:45PM (#24079661)

    it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures. Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.

    The data was not lost, they failed to secure it. There is a difference between the two, although it doesn't make it any less of a problem. But headlines like this are misleading.

    Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

    • Re:Not "Lost" (Score:5, Interesting)

      by icepick72 (834363) on Sunday July 06, 2008 @11:39PM (#24079993)
      Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

      Because companies who write code that badly also don't keep web logs.
    • Ok. So 41,000 could have been viewed, but only yours was.

      Feeling any better now?

    • by neumayr (819083)
      In the linked (german) article they explained how they got access to 41000 data sets.
      Of course, that's no evidence, but what are they supposed to do? Publish them?
  • by Noodles (39504) on Sunday July 06, 2008 @10:46PM (#24079677)

    German Survey Company _Exposes_ 41,000 Survey Records would convey the real meaning of the article.

    • Or simply:

      TNS Infratest/Emnid has lost control of 41,000 private data records.

      • Re: (Score:3, Funny)

        by Tablizer (95088)

        Or simply: TNS Infratest/Emnid has lost control of 41,000 private data records.

        Nah, "exposes" creates more vivid mental images.
             

        • OMG, data porn!

          41,000 records doing it just for you, they have no shame and show you anything. Sign up now!

          Given the behaviour of our governments, I'm sure some proffessional paranoiacs would get an instant boner.

    • by shri (17709)
      TNS is a worldwide company. I'd seriously hope that they don't use the same software everywhere in the world.
    • by bdraschk (664148)
      While /. headlines are often called inaccurate, this time it's not the fault of the contributor. Both versions (English and German) of the article at ccc.de claim the data was "lost".
      The article on heise.de referencing this does not mention any losses.
  • I've written several white papers [thinkcomputer.com] and op-eds [aarongreenspan.com] about how this problem has affected various companies and government entities. Sadly, it never seems to go away.

  • You know (Score:3, Funny)

    by Iamthecheese (1264298) on Sunday July 06, 2008 @10:53PM (#24079713)
    that the expensive webmaster you just hired is actually a drunken lemur in disguise when...
    • Re: (Score:3, Interesting)

      by Opportunist (166417)

      Expensive webmaster?

      I'd rather guess they signed up one of those very unemployed and very desperate people that took some distance learning course during the dot.com bubble in hopes of getting the big bucks, something they couldn't at the janitor or bricklayer position they had before.

      You'd be amazed how many people consider themselves a "systems administrator" today because they can click together a halfway decent network connection with the XP net wizard, but have not a hint of an idea what security is ab

  • Okay let's pull some CSI crap and go back in time. I can hear it now! "Naw, just code it in a GET, that's easier. Nobody will ever just type something" (except in German obviously :P)
  • That's nothing (Score:5, Informative)

    by Anonymous Coward on Sunday July 06, 2008 @11:12PM (#24079841)

    I used to work at a web design agency a few years back. They had a single shopping cart system that they "re-used" (read: copy & pasted then altered to suit the site in question) for dozens of e-commerce sites. After processing an order, it would display the customer's entire details, including credit card information and billing address. Yes, it was vulnerable to this exact flaw. Increment/decrement the order number, and you get to see somebody else's details.

    That's not the worst bit. The worst bit is when they "fixed" it. They did so by changing it to a POST request instead of a GET request, meaning the ID number didn't show up in the address bar. It was still just as vulnerable, it's just not as "discoverable" to the clients as it was before.

    Posted AC because the company is sue-happy about former employees.

    • It is established that an amazing (unknown)% of survey data is lost or released to unauthorized recipients. We'd tell you the percentage, but we lost the laptop with all records at the airport.

    • You could easily have posted it under your name. This is by far not the only company that has this problem, you could easily claim you were talking about a completely different company and ... hey, why do YOU sue, don't tell me YOU had that problem too! :)

  • by nathan.fulton (1160807) on Sunday July 06, 2008 @11:22PM (#24079887) Journal
    I'm not going to get into a debate over consumer and business responsibilities, but it seems to me that at a certain point, you just have to be constantly vigilant and aware if you want your data to be secure. This is a perfect example -- you don't have to take surveys. What's the benefit?
    • by fuzzyfuzzyfungus (1223518) on Sunday July 06, 2008 @11:33PM (#24079955) Journal
      Easy enough in this particular case, surveys are largely optional. Absolutely useless in the general case, though. I don't get to opt out of government data collection and storage, opting out of data collection and storage by utilities and financial institutions is possible but for most people only in a theoretical sense.

      This is a rather weak special case, I agree; but it points to no general form ability to control disclosure of your data to a variety of entities. Thus, the only effective measures to prevent data leaks have to involve the storage end(and, ideally, lots and lots of punishment). Perhaps an online "pictures, names, home addresses, phone numbers, emails, social security numbers, and CVs of people responsible for private data breaches" gallery would be in order?
  • Wasn't germany the country considering, or moving toward, some sort of draconian ban on hacking tools? If so, let's tell them that the URL modification trick only works in IE. Seriously, though, these constant data breaches are getting pathetic. Are we going to have to start shooting suits to get them to shape up?
    • Not just considering. They actually did it. Something their paranoid wheelchair didn't consider is that the internet doesn't care about borders, though, so it doesn't apply to me, and I can still provide security services for Germany.

      But I think the URL line in browsers is soon to be outlawed.

  • by Anonymous Coward on Sunday July 06, 2008 @11:30PM (#24079939)

    We recently left our CC processor (a major company, processing more than 10 billion a year). Their online CC terminal had this exact flaw. You can store customer info (CC, address, name, etc) and get a "customer ID" for that customer. Well... no checks in their system to assure that the "customer" was yours, so you could increment, decrement away and grab CC numbers to your hearts content (more than 25 million CCs in the system). You could even pass a random "customer id" to the billing portion of the system and bill a random person's CC, no checks in that part either.

    When we alerted them to this flaw, they cut off our service and disabled all of our accounts and threatened to sue us for "hacking" their system. To this day I don't believe it is fixed.

    Heartland payment systems is the company...

  • by lancejjj (924211) on Sunday July 06, 2008 @11:33PM (#24079953) Homepage

    "It's not just governments that lose private data.

    Golly, I just assumed that governments agencies, such as "TJX", "HSBC", and "Radio Shack" lose data.

    Really, does the writer really think that Slashdot readers don't read Slashdot? TJX and HSBC certainly aren't part of any government, yet there have been numerous reports about the loss of a ridiculous number of records.

    As for Radio Shack - I'm pretty sure that the government is propping them up. Then again, the government seems to be propping up banks too. OK, I stand corrected. Never mind.

    • by Frosty Piss (770223) on Sunday July 06, 2008 @11:59PM (#24080135)

      As for Radio Shack - I'm pretty sure that the government is propping them up...

      CIA front. Didn't you know that's where all the terrorists buy their bomb parts? Why do you think they insist on such detailed contact info for a $1.50 purchase?

      • by drinkypoo (153816)
        I suppose they get the other parts at Kragen, they always want my phone number. (I just tell them I'll keep my fucking receipt, unless it's on a lifetime part on a car I plan to keep, then sometimes I knuckle under and give it to them. They print that shit on thermal paper, the whole thing can turn black and then where is your warranty?)
      • Like anything at radio shack costs 1.50. A simple cable always seems to run me like 7.50
    • Blind government bashing is so rampant around here that it doesn't even need to be true to get props from a lot of readers.
      • Blind government bashing is so rampant around here that it doesn't even need to be true to get props from a lot of readers.

        That's the government's fault.

      • Well, that works the other way 'round too. Blind government bashing is likely to strike a target simply by there being so many that you're bound to hit one.

  • by JayTech (935793) on Monday July 07, 2008 @12:47AM (#24080357)
    Last year Global Test Market (www.globaltestmarket.com) had a similar exploit, which I found; I was able to access anyone's account information, including their password via their ID. I reported it to their IT department, it took them almost a month to fix. Everyone single one of their client's data on that site was exposed, and do you think the company notified the clients? Nope. It was as if they could care less. They never even gave me a pat on the back or anything. It's a wonder stuff like this doesn't happen more often, so many companies placing profits ahead of security.
    • Re: (Score:3, Interesting)

      by cerberusss (660701)

      Here's a nice test case: google for "customer login" and use the following password:

              ' or 1=1 and password='

      I tried and within the first 50 hits I got in.

    • by neumayr (819083)
      Why didn't you publish this?
      Of course after giving them time to fix it, but a deadline gets things done faster.
      Also, their customers might have liked to know their information should be assumed to having been compromised.
  • Here, let me help you with a little psudocode:

    String sUserId = request.getParameter("user_id");
    int userId = 0;
    try {
            userId = checkInt(userId);
            if (userId < 0) throw exception;
    } catch (Exception e) {
            exit();
    }
    User user = (User)session.getParameter("current_user");
    if (user.getId() != userId) {
            exit();
    }

    • Re: (Score:1, Informative)

      by Anonymous Coward

      String sUserId = request.getParameter("user_id");
      int userId = 0;
      try {
      userId = checkInt(userId);
      if (userId < 0) throw exception;
      } catch (Exception e) {
      exit();
      }
      User user = (User)session.getParameter("current_user");
      if (user.getId() != userId) {
      exit();
      }

      The first line of your try block just runs a checkInt() on integer 0. Perhaps you mean to be checking sUserId rather than userId? Even once that issue is fixed, I don't see how your code snippet helps anything. For someone trying to help out with a security problem, you don't seem to be proving yourself to be very competent. :p

      • by Heembo (916647)

        userId = checkInt(userId);

        should be

        userId = checkInt(sUserId );

        This code checks that the userId from the request matches the current authenticated user in session. Thanks for your asshole comment. Have a nice day.

    • by Tweenk (1274968)

      WTF? They should just use the session parameter to fetch the data, instead of putting this as a parameter. I can see a reason for this only if they use the same page to display info for admins who can view everyone. I have the impression that people are unwilling to trust the session mechanism, while I have built a site which uses it heavily and this allows me to simplify the code a good bit. I suppose the default session mechanism doesn't scale as well as putting everything in the request, but then you can

      • by Heembo (916647)

        Good point, I do agree with you that the userId should be taken out of the request and just pulled from session in many cases.

        However, the userId might need to be implemented from the request as I have described in case you want to support administrative features where a superuser can access any account. That is why code of this nature is so common.

        • by Shados (741919)

          Super users being able to access any account can still be done through session or other server side mechanism :) The product we worked on at my previous job worked like that, and it went quite well too :)

          • by Heembo (916647)

            In order for a superuser to view or take over a specific user account; that superuser will need to select a user to view via some kind of request parameter.

        • by ultranova (717540)

          However, the userId might need to be implemented from the request as I have described in case you want to support administrative features where a superuser can access any account.

          Except that he can't, in your example, because a mismatch between the userId parameter and the user associated with the session causes the whole server to exit. Holy Denial of Service, Batman :)! Perhaps you meant "if (!user.isSuperUser() && !user.user.isId(userId))" ? Or perhaps even "if (!user.canAccessId(userID))" ? The

          • by Heembo (916647)

            > causes the whole server to exit.

            Dude, I was writing pseudo-code. Stop being an asshole. The point I was making is that the code to solve an issue of this nature is trivial; I was not trying to make it perfect, hence the term pseudo-code.

            However, I agree with you 100% that the administrative utility should be separated from the normal user account, and therefor the standard user page would only need to grab the userid from the session. You point well taken.

            Also be wary of RBAC calls like user.isSuperUse

            • by ultranova (717540)

              Dude, I was writing pseudo-code. Stop being an asshole. The point I was making is that the code to solve an issue of this nature is trivial; I was not trying to make it perfect, hence the term pseudo-code.

              If pointing out your errors insults you, that is unfortunate; but it doesn't make me or anyone else an asshole.

              And pseudo-code doesn't mean code that has logical errors, it means a step-by-step presentation of an algorithm that's easily turned into actual code. And your "pseudo-code" bears an uncanny rese

              • by Heembo (916647)

                Your smarmy little comments were not necessary. My original code stating that the userId from the request needed to be a positive integer that matched the current user in session illustrated that this is a simple problem to solve.

  • To find other sites that make the same beginners' error. Looks like mainly spammers selling blue pills.

    Link [google.com]

Prediction is very difficult, especially of the future. - Niels Bohr

Working...