|
The Web Hacking Incidents Database
Last update:07 November 2007
List of incidents of class Insufficient Authentication
Other
WASC threat
classifications:
Abuse of Functionality, Brute Force, Content Spoofing, Credential/Session Prediction, Cross-site Scripting, Defacement, Denial of Service, Directory Indexing, HTTP Response Splitting, Information Leakage, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerabity, Misconfiguration, OS Commanding, Other, Path Traversal, Phishing, Predictable Resource Location, Redirection, SQL Injection, Unknown, Weak Password Recovery Validation, Worm
There are 15 incidents of class Insufficient Authentication
Date: 13 June 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication
If you live in a country from which you need a Visa to get to the states, you knew this would happen. The US online Visa appointment system is very open. Indeed too open. Someone in Jamaica took advantage of this to pre-allocate appointments.
While this might be classified as a business process design flaw, isn't security also about this?
References:
Date: 10 March 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication, Misconfiguration
A student at a community college in Sacramento who was "Googling" himself last month found disconcerting information when he typed his name into the popular Internet search engine
References:
Date: 10 March 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication, Misconfiguration
Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused.
References:
Date: 31 March 2006
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication
A security hole in Sydney internet provider Astratel's LiveBilling online account management system has seriously compromised its customers' privacy. The service redirected users to a different server and propagated the user information in a hidden field without re-authenticating.
References:
Date: 24 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction, Insufficient Authentication
Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.
References:
Date: 21 October 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authentication
The software has a default password for teachers, enabling anyone to access the system with teachers privileges.
References:
Date: 18 August 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication
References:
Date: 12 August 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction, Insufficient Authentication
A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle
References:
Date: 30 July 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction, Insufficient Authentication
While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society
References:
Date: 05 May 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authentication
Extranet system accessible to the public
References:
Date: 22 February 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication, OS Commanding, Weak Password Recovery Validation
Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic
References:
Date: 01 February 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Directory Indexing, Information Leakage, Insufficient Authentication
Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords
References:
Date: 01 November 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authentication, Predictable Resource Location
Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.
The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.
We somehow missed this story so it finds its way to WHID only now in late 2007.
References:
Date: 14 June 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authentication, Insufficient Authorization
A billing information system required only phone number and zip code to pull up account details
References:
Date: 06 September 2000
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Information Leakage, Insufficient Authentication
Error message revealed a database file location, which could be downloaded.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
