|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Attack Method":
Abuse of Functionality, Administration Error, Brute Force, Buffer Overflow, Content Spoofing, Credential/Session Prediction, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Denial of Service, Directory Indexing, Drive by Pharming, Failure to Restrict URL Access, Format String Attack, HTTP Response Splitting, Improper Error Handling, Insecure Direct Object Reference, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerability, LDAP Injection, Misconfiguration, OS Commanding, Other, Path Traversal, Predictable Resource Location, Redirection, Session Fixation, Session Hijacking, SQL Injection, SSI Injection, Unintentional Information Disclosure, Unknown, Weak Password Recovery Validation, XPath Injection
List of incidents for which Attack Method is Unintentional Information Disclosure
10 incidents listed
Reported: 07 November 2007Occurred: 17 September 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: UK
- Outcome: Leakage of Information
- Vertical: Security & Law Enforcement
An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.
While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.
References:
Reported: 11 October 2007Occurred: 02 October 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.
References:
Reported: 25 July 2007Occurred: 23 July 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Media
Fox News left non public files on a directory accessible to everyone on their web server.
References:
Reported: 12 June 2007Occurred: 30 May 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Internet
Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.
References:
Reported: 12 June 2007Occurred: 03 June 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Security & Law Enforcement
A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.
This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.
References:
Reported: 09 May 2007Occurred: 08 May 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.
References:
Reported: 23 April 2007Occurred: 23 April 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Government
Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.
References:
Reported: 29 March 2007Occurred: 02 March 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Health
Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.
The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.
References:
Reported: 27 March 2007Occurred: 10 March 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
A student at a community college in Sacramento who was "Googling" himself last month found his name, among 2000 others, in a file accidentally left by school staff online and picked by Google crawler.
References:
Reported: 26 March 2007Occurred: 10 March 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
