Web Application Security Consortium - Web hacking Incidents Database (WHID)

Date: 31 December 2003
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting, SQL Injection

References:

Defenses lacking at social network sites [Security Focus]

WHID 2003-8: SQL Injection in PetCo.com leads to FTC investigation

Date: 05 December 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: SQL Injection

References:

Petco settles charge it left customer data exposed [Infoeworld]

Petco settles with FTC over cyber security gaffe [Security Focus]

FTC investigates PetCo.com security hole [Security Focus]

WHID 2003-7: Victoria's Secret reveals far too much

Date: 24 October 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

View other customers orders by changing a sequential number within a URL parameter

References:

Victoria's Secret Reveals Too Much [CBS News]

Victoria's Secret reveals far too much [iAfrica]

WHID 2003-6: Mississippi man blackmails Best Buy

Date: 01 October 2003
Incident Type: Security Breach
WASC Threat Classification: Unknown

A person convicted of blackmailing Best Buy. He threatened to expose a breach in the company's web site if not paid $2.5 million.

References:

Mississippi man denies Best Buy blackmail [ZDnet]

Police blotter: Best Buy 'hacker' loses in court [Zdnet]

Appeals Court's Opinion []

WHID 2003-5: Car shoppers' credit details exposed in bulk

Date: 25 September 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Information Leakage, Predictable Resource Location

User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.

References:

Car shoppers' credit details exposed in bulk [Security Focus]

WHID 2003-4: SQL injection on Guess site triggers an FTC inquiry

Date: 18 June 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: SQL Injection

References:

Guess Settles FTC Security Charges [FTC Web Site]

WHID 2003-3: User passwords could be stolid in Microsoft's Passport service

Date: 08 May 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Weak Password Recovery Validation

References:

Microsoft faces huge fine over security [Zdnet]

Microsoft Patches .NET Passport Hole [AnyNetwork]

WHID 2003-2: UT Austin hack yields personal info on thousands

Date: 06 March 2003
Incident Type: Security Breach
WASC Threat Classification: Brute Force

While an old incident, further research into it suggest that it was a web hack. While the initial reports talk about a database break in, a report in the Register identify the database as txClass, which is a web based system. 55,200 social security numbers where stolen, though the hacker claimed that he did not perform the act for profit. He was caught and sentenced to 5 years probation.

References:

Data Theft Incident Response [UofT]

Student owns up to Texas Uni cyber-heist [The Register]

UT Austin hack yields personal info on thousands [Computer World]

Hackers steal names, Social Security numbers from University of Texas database [Security Focus]

WHID 2003-1: FTD.com hole leaks personal information

Date: 13 February 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction

View other customers information by modifying a cookie

References:

FTD.com hole leaks personal information [CNet]

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.