An article on SecurityFocus.com explains how someone found a hole in their online-user-account management. Basically, when you went to change your profile, you would get a URL like www.oreillynet.com/cs/user/edit/u/12345, where '12345' is your account ID. If you were to change it to '12346', you would then be able to change another users profile. Apparantly, this was fixed on Monday. I didn't try this, since I don't have an account there, I only read the site.
I'm surprised noone found this before (or at least, reported it), since I know one of the first things I do whenever I get any type of online account is see if I can hack into it. This isn't so I can see if I can get at data from other users, but to see how secure my own data is. It is sort of ironic that the #1 Tech Book publisher had such an obvious issue, and didn't seem to find it themselves.
On a side note, the roof of my mouth is burnt from eating hot pizza.
Posted by Kevin at May 28, 2002 06:44 PMThanks for signing in, . Now you can comment. (sign out)
(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)