Web Application Security Consortium - Web hacking Incidents Database (WHID)

Reported: 11 July 2005
Occurred: 21 September 2002

Classifications:

Attack Method: Insufficient Authorization
Attack Method: Predictable Resource Location

References:

Advogato xss virus account
Blog Entry, Bindshell, 21 September 2002

WHID 2002-3: Reuters accused of hacking

Reported:
Occurred: 29 November 2002

Classifications:

Attack Method: Unknown

A company put its earnings report on site before its official release, but did not linked to it. Reuters found the document and published it.

References:

Reuters accused of hacking
News Story, Cnet, 29 November 2002

WHID 2002-4: Tower Records settles charges over hack attacks

Reported:
Occurred: 05 December 2002

Classifications:

Attack Method: Credential/Session Prediction

View other customers orders by changing a guessable number within a URL parameter

References:

Tower Records settles charges over hack attacks
News Story, Security Focus, 21 April 2004
Tower Records site exposes data
News Story, CNet, 05 December 2002

WHID 2002-1: Flawed authentication at BN.com exposes personal information

Reported:
Occurred: 09 July 2002

Classifications:

Attack Method: Credential/Session Prediction
Outcome: Disclosure Only

Opening an account with a discontinued e-mail address exposes all the information of the discontinues account

References:

BN.com: The Hole Story
News Story, Wired, 19 July 2002
BarnesAndNoble.com Security Flaw
Technical Information, Personal Web Page, 09 July 2002
Barnes & Noble.com Fined for Customer Data Leak
News Story, Datamation, 30 April 2004

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.