I've found a common security flaw in websites... That gives away juicy personal info, billing addresses.....

I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... and other usefull contact information.. Using this, a scammer could VERY easily phone a site's customers, pretending to be from that site, and ask to confirm credit card details, or anything they need to 'double check' that could be used for ID theft etc. (Who would argue if you buy from a site, and then they phone you within 5 minutes, even I probably would fall for that) the thing is, they all have the simplest flaw with them ... here's an example, identifying marks stripped for now: I log in an go to change my contact details, it takes me to a form, populated with my existing details, which I can change and submit, https://www.FOO.com/account/edit_profile.asp?s=1&pid=29436 so far so good. however.... if I change the PID value +1 or -1 .... I get someone elses personal details pre-populating the form. Quickest ID theft EVER :) I've found 3 sites withoout even looking for them (sites I had a real reason to use and happened to notice the 'CUST=' or 'PID=' in the URL)... how many more must there be out there? Has anyone else noticed this pattern, it seems to be pretty common; I bet I could find 5 more sites that suffer from it in under an hour.... (wait one, I'll check :D ) http://sla.ckers.org/forum/read.php?15,16764,16764#msg-16764 Thu, 23 May 2013 03:48:54 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?15,16764,24771#msg-24771 Re: I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... http://sla.ckers.org/forum/read.php?15,16764,24771#msg-24771 tribalmp Privacy Tue, 30 Sep 2008 15:02:18 -0500 http://sla.ckers.org/forum/read.php?15,16764,16911#msg-16911 Re: I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... http://sla.ckers.org/forum/read.php?15,16764,16911#msg-16911 CrYpTiC_MauleR Privacy Sat, 20 Oct 2007 17:36:12 -0500 http://sla.ckers.org/forum/read.php?15,16764,16882#msg-16882 Re: I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... http://sla.ckers.org/forum/read.php?15,16764,16882#msg-16882
At least in England that's very illegal... time to get a list together for the ICO and get them to bust some heads :)]]> Jeffuk Privacy Fri, 19 Oct 2007 02:13:31 -0500 http://sla.ckers.org/forum/read.php?15,16764,16864#msg-16864 Re: I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... http://sla.ckers.org/forum/read.php?15,16764,16864#msg-16864 w0ts0n Privacy Thu, 18 Oct 2007 05:11:03 -0500 http://sla.ckers.org/forum/read.php?15,16764,16811#msg-16811 Re: I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... http://sla.ckers.org/forum/read.php?15,16764,16811#msg-16811
hxxp://www.google.com/search?q=inurl:"aspx?cust=]]> Anonymous User Privacy Tue, 16 Oct 2007 20:10:01 -0500 http://sla.ckers.org/forum/read.php?15,16764,16810#msg-16810 Re: I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... http://sla.ckers.org/forum/read.php?15,16764,16810#msg-16810 CrYpTiC_MauleR Privacy Tue, 16 Oct 2007 19:35:48 -0500 http://sla.ckers.org/forum/read.php?15,16764,16799#msg-16799 Re: I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... http://sla.ckers.org/forum/read.php?15,16764,16799#msg-16799 w0ts0n Privacy Tue, 16 Oct 2007 07:59:34 -0500 http://sla.ckers.org/forum/read.php?15,16764,16765#msg-16765 Re: I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... http://sla.ckers.org/forum/read.php?15,16764,16765#msg-16765
On another site I use regularly... This time when you go to checkout it populates a form with your profile delivery address, based on a URL variable...

this is too easy..]]> Jeffuk Privacy Sun, 14 Oct 2007 07:34:29 -0500 http://sla.ckers.org/forum/read.php?15,16764,16764#msg-16764 I've found a common security flaw in websites... That gives away juicy personal info, billing addresses..... http://sla.ckers.org/forum/read.php?15,16764,16764#msg-16764
Using this, a scammer could VERY easily phone a site's customers, pretending to be from that site, and ask to confirm credit card details, or anything they need to 'double check' that could be used for ID theft etc. (Who would argue if you buy from a site, and then they phone you within 5 minutes, even I probably would fall for that)

the thing is, they all have the simplest flaw with them ... here's an example, identifying marks stripped for now:

I log in an go to change my contact details, it takes me to a form, populated with my existing details, which I can change and submit,
https://www.FOO.com/account/edit_profile.asp?s=1&pid=29436 so far so good.

however.... if I change the PID value +1 or -1 .... I get someone elses personal details pre-populating the form.

Quickest ID theft EVER :)

I've found 3 sites withoout even looking for them (sites I had a real reason to use and happened to notice the 'CUST=' or 'PID=' in the URL)... how many more must there be out there? Has anyone else noticed this pattern, it seems to be pretty common; I bet I could find 5 more sites that suffer from it in under an hour....

(wait one, I'll check :D )]]> Jeffuk Privacy Sun, 14 Oct 2007 07:28:46 -0500