Web Application Security Consortium - Web hacking Incidents Database (WHID)

Date: 05 December 2002
Incident Type: Security Breach
WASC Threat Classification: Credential/Session Prediction

View other customers orders by changing a guessable number within a URL parameter

References:

Tower Records settles charges over hack attacks [Security Focus]

Tower Records site exposes data [CNet]

WHID 2002-3: Reuters accused of hacking

Date: 29 November 2002
Incident Type: Security Breach
WASC Threat Classification: Unknown

A company put its earnings report on site before its official release, but did not linked to it. Reuters found the document and published it.

References:

Reuters accused of hacking [Cnet]

WHID 2002-2: Advogato XSS virus account

Date: 21 September 2002
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location

References:

Advogato xss virus account [Bindshell]

WHID 2002-1: Flawed authentication at BN.com exposes personal information

Date: 09 July 2002
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction

Opening an account with a discontinued e-mail address exposes all the information of the discontinues account

References:

BN.com: The Hole Story [Wired]

BarnesAndNoble.com Security Flaw [Personal Web Page]

Barnes & Noble.com Fined for Customer Data Leak [Datamation]

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.