Citigroup – URL hacked? Seriously?

Apparently the hackers who stole all kinds of personal information to Citigroup’s website did so by URL hacking.

This is just unconscionable.  Even before you get to cyber-security 101, SOMEONE should have figured out that putting the account number in plain text in the URL was a terrible idea.

I don’t care who you are, the first thing you need to know about dealing with a website is that your server cannot trust a user’s input.  This can be for any number of, even very innocent, reasons – but primarily as a way to be ward against potential problems.  It just sickens me that their website had what amounts to zero security.  URL hacking isn’t even really hacking at all, it’s just a matter of tweaking URL address inputs.  It’s essentially the equivalent of dialing a company’s phone number and changing the extension by one digit just to see if you can escape phone-tree-voice-mail-hell. 1 2

I mean, would you, as a bank, put deposit or balance information into the URL?  NO.  Otherwise in 5 seconds everyone would alter their links to include “&currentbalance=100000000000”. 3  Why, then, would you ever include plain text bank account numbers in the URL and not actually verify that information on the server side?!  I mean, this is the kind of security you get with WordPress for free just by installing it.

The Citigroup website is very Web2.0, rounded corners, social-media and blogging links.  It looks great.  Did they just have their web designer handle security?  How the hell did this happen?!

Okay, Sony, Facebook, Twitter – these things get hacked because of lame or re-used passwords.  Those guys got hacked because their attackers were smart.  Citigroup got hacked because they are too stupid to handle a basic website, let alone someone’s money.

  1. Or purgatory? []
  2. Definitely purgatory []
  3. Or, better yet, “&currentbalance=pony” []

One Response to “Citigroup – URL hacked? Seriously?”

  1. […] am floored, and in fact don’t believe it. No one does. This simply cannot be true. If it were, it is easier and much more dangerous then Dropbox’s […]