Date:
11 June 2007
Incident Type: Security Breach
WASC Threat Classification: Abuse of Functionality, Insufficient Anti-automation, Insufficient Session Expiration
The CNBC stock trading reality TV show was even more real than contenders thought it would be. It seems that players learned to cheat the game by opening a browser form to by a stock before closing and issuing the transaction, at the set price, only after closing, when more information is already available.
The interesting anecdote is that the person who discovered the issue has used a different, but also questionable technique of maintaining a very large number of portfolios automatically managed by automated programs using the fact that the game allowed a user to have any number of portfolios but only the best one is counted. Kosher, but stinks.
This story remind an older story about a predictable delay in a poker game that enabled gamblers to beat the house.
References:
Date:
17 January 2006
Incident Type: Security Breach
WASC Threat Classification: Insufficient Anti-automation
A hoster was broken into by brute forcing passwords in a management interface. Sites of many clients, including three municipalities where defaced.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
