A flaw in the URL scheme used by Citigroup to direct customers to their accounts was used by cybercriminals to bypass the bank’s sophisticated security technologies.
This isn’t anything an automated tool can find so it has to be part of the manual testing process.
Jeremiah Grossman, founder and CTO WhiteHat Security
Hackers logged onto a site reserved for credit card customers then inserted various account numbers into a string of text located in the browser’s address bar, according to a report in the New York Times, which cited anonymous sources close to the investigation. The cybercriminals repeated their actions, capturing the names, account numbers, email addresses and transaction histories of more than 200,000 Citigroup customers.
At a function in New York City last week, a Citigroup IT security executive declined to comment to SearchSecurity.com about the Citigroup attack until the investigation was complete.
The breach illustrates how a simple website weakness could cause a major breach no matter what security technologies are in place. Citigroup discovered the thieves when a routine check in May turned up an anomaly, according to the report. The bank took immediate action, issuing fraud alerts and stepping up its account monitoring.
The vulnerability is a classic business logic flaw called insufficient authorization. It is common in about 15% of all websites scanned by application security firm WhiteHat Security, and is likely present in more than 20% of websites worldwide, said Jeremiah Grossman, a Web security researcher and founder and chief technology officer of WhiteHat. Grossman said the vulnerability can’t be found via a vulnerability scanner, making it difficult for enterprises to find and repair.
“This isn’t anything an automated tool can find so it has to be part of the manual testing process,” Grossman said.
Citigroup likely detected the flaw in its own analytics engine. A person monitoring analytics tools would see different spikes of anomalous user activity. An individual sending in 200,000 server requests should generate an alert, Grossman said. Further inspection of the logs would show that a person is conducting an attack by tweaking the URL.
The attacker wouldn’t necessarily need to steal account credentials to initially gain access. Instead, they could use phony information to sign up for an account and begin carrying out an attack once logged in.
While business logic flaws are common, cross-site scripting (XSS) flaws and SQL injection errors continue to be the most prominent vulnerabilities discovered in White Hat’s analysis. The flaw gives less sophisticated attackers an avenue into a network because they can use automated tools to find them. Correcting the coding errors can be a lot of work, Grossman said. XSS flaws can be the easiest to find and fix, but SQL injection flaws can be voluminous and take a lot of time to repair.