Monday, September 26, 2011

The Accidental Hack

Today I came across an issue that after walking around in several circles has shown to have a very simple solution. Maybe another instance of Occam's razor.

A little background information is needed. When a member uses their insurance and a claim is submitted, a process picks this up and sends out an email with a link to view this information. The URL is member agnostic and simply places the date of the claim. For instance www.example.com/foo?date=1/1/2010. When the user navigates to the URL, they are prompted to login. Upon successful login, any claims for the date on the URL are listed.

So, we get a help desk ticket stating that a member, Martha Smith, got such an email. When she clicked on the email, she logged in with msmith and saw claim information for John Smith. An obvious security and privacy issue was clear. So the hunt began. We store email information in two locations. We looked up John Smith's and Martha Smith's information and email settings all checked out. It was noted that msmith is John's username and not Martha's.

After some talking to people, the real story became clear. You see, John's email address was mary@domain.com. So, msmith doesn't stand for Martha Smith, but Mary Smith. So it would seem as though Martha forgot her username and guessed msmith. After a few tries, the account was locked. She went through the process of unlocking the account and successfully guessed the security question. This enabled her to reset the password and login. When she finally logged in, she saw John's claim information, not because of any technical issue, but simply because she logged in as him.

This whole story reminds me of this essay.

No comments: