Cahoot's Internet banking application allows customers to view each other's account info with only a username

Incident Date: November 4 2004
Incident Location: UK

UK Internet banking firm Cahoot (www.cahoots.com) shut down their online banking application for 10 hours on November 4, 2004 to correct a serious security vulnerability. The flaw would allow an already authenticated user to view the account details of one of the other 650,000 customer accounts without knowledge of their password. Cahootís security problem was brought to the publicís attention when it was demonstrated to the BBC by David Eade, a computer programmer unaffiliated with the bank.

While customers could view the account balance and transaction history of other people, they were apparently unable to transfer money without the account password. An attacker would also have to guess the username of the account they wished to view, a feat that Mr. Eade reported was relatively easy. They would then modify a URL parameter to specify the username of that personís account and their browser would display the account details.

Around October 24 2004, Cahoot implemented a software update, which is apparently to blame for the opening the hole. They were forced to shut down the application altogether two weeks later to correct the vulnerability once it became visible. Prior to the upgrade, Cahoot had hired a security consulting firm to test the security of their Web application. The vulnerability was reportedly not found at that time, confirming claims that the software upgrade was responsible.

At the time of the breach, Cahootís online security statement stated that "we employ appropriate technical security measures to protect your personal information and ensure that it is not accessed by unauthorized persons." The companyís exposure of account information may have been in violation of the UK Data Protection Act.


Story Sources

Title: Cahoot glitch highlights online safety issues
Author:
Date: 11/5/2004
Publication: VNUNet.com
Publication Location: UK
Publication URL: http://www.vnunet.com/news/1159208

Title: Cahoot bank accounts in security scare
Author: Will Sturgeon
Date: 11/5/2004
Publication: Silicon.com
Publication Location: UK
Publication URL: http://news.zdnet.co.uk/internet/security/0,39020375,39172762,00.htm


Do you have additional information to contribute regarding this story? If so, please email siteupdates@passwordresearch.com with the details and source.

<-- Back to Authentication Story Index





[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com