First State Super security fail

[FirstPageResults]

Was just reading this article in The Age regarding the security breach of 770,000 First State Super accounts:

Webster said the issue began when he logged in to his online account with First State Super late last month to check his statement. He noticed that the URL contained the unique ID number for each account and by tweaking the number in the URL, he was able to easily access other people's statements.

...

To demonstrate the flaw to First State's IT staff, he wrote a script that cycled through each ID number and pulled down the relevant report to his computer. He confirmed that the vulnerability affected the firm's full customer database.

Read more: http://www.theage.com.au/it-pro/sec...-ripped-off-20111018-1lvx1.html#ixzz1b7JS5Kke

Having developed online superannuation web apps I'm amazed at just how negligent they have been here. Removing ID's from URLs is Web Security 101.

I'm not sure what's worse - the mistake, or the clear lack of penetration testing done on a system that holds sensitive information for $30 billion plus in funds under management.

To make matters worse, they reported this clearly white hat "hacking" to the authorities! Talk about a PR disaster!

 

[James]

Wow these guys suck, what a joke of a company...