Web Application Security Consortium - Web hacking Incidents Database (WHID)

Reported: 04 April 2006
Occurred: 06 March 2003

Classifications:

Attack Method: Brute Force

While an old incident, further research into it suggest that it was a web hack. While the initial reports talk about a database break in, a report in the Register identify the database as txClass, which is a web based system. 55,200 social security numbers where stolen, though the hacker claimed that he did not perform the act for profit. He was caught and sentenced to 5 years probation.

References:

Data Theft Incident Response
Victim's report, UofT, 07 September 2005
Student owns up to Texas Uni cyber-heist
News Story, The Register, 18 March 2003
UT Austin hack yields personal info on thousands
News Story, Computer World, 06 March 2003
Hackers steal names, Social Security numbers from University of Texas database
News Story, Security Focus, 06 March 2006

WHID 2003-6: Mississippi man blackmails Best Buy

Reported: 26 February 2006
Occurred: 01 October 2003

Classifications:

Attack Method: Unknown

A person convicted of blackmailing Best Buy. He threatened to expose a breach in the company's web site if not paid $2.5 million.

References:

Mississippi man denies Best Buy blackmail
News Story, ZDnet, 07 January 2004
Police blotter: Best Buy 'hacker' loses in court
News Story, Zdnet, 02 December 2005
Appeals Court's Opinion
Court File, , 22 November 2005

WHID 2003-9: Defenses lacking at social network sites

Reported:
Occurred: 31 December 2003

Classifications:

Attack Method: SQL Injection
Attack Method: Cross Site Scripting (XSS)

References:

Defenses lacking at social network sites
News Story, Security Focus, 31 December 2003

WHID 2003-1: FTD.com hole leaks personal information

Reported:
Occurred: 13 February 2003

Classifications:

Attack Method: Credential/Session Prediction
Outcome: Disclosure Only

View other customers information by modifying a cookie

References:

FTD.com hole leaks personal information
News Story, CNet, 13 February 2003

WHID 2003-3: User passwords could be stolid in Microsoft's Passport service

Reported:
Occurred: 08 May 2003

Classifications:

Attack Method: Weak Password Recovery Validation
Outcome: Disclosure Only

References:

Microsoft faces huge fine over security
News Story, Zdnet, 09 May 2003
Microsoft Patches .NET Passport Hole
News Story, AnyNetwork, 08 May 2003

WHID 2003-4: SQL injection on Guess site triggers an FTC inquiry

Reported:
Occurred: 18 June 2003

Classifications:

Attack Method: SQL Injection
Outcome: Disclosure Only

References:

Guess Settles FTC Security Charges
Official Government Report, FTC Web Site, 18 June 2003

WHID 2003-5: Car shoppers' credit details exposed in bulk

Reported:
Occurred: 25 September 2003

Classifications:

Attack Method: Predictable Resource Location
Outcome: Leakage of Information

User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.

References:

Car shoppers' credit details exposed in bulk
News Story, Security Focus, 25 September 2003

WHID 2003-7: Victoria's Secret reveals far too much

Reported:
Occurred: 24 October 2003

Classifications:

Attack Method: Insufficient Authorization
Outcome: Disclosure Only

View other customers orders by changing a sequential number within a URL parameter

References:

Victoria's Secret Reveals Too Much
, CBS News, 22 October 2003
Victoria's Secret reveals far too much
News Story, iAfrica, 24 October 2003

WHID 2003-8: SQL Injection in PetCo.com leads to FTC investigation

Reported:
Occurred: 05 December 2003

Classifications:

Attack Method: SQL Injection
Outcome: Disclosure Only

References:

Petco settles charge it left customer data exposed
News Story, Infoeworld, 17 November 2004
Petco settles with FTC over cyber security gaffe
News Story, Security Focus, 17 November 2004
FTC investigates PetCo.com security hole
News Story, Security Focus, 05 December 2003

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.