Researcher discloses vulnerability to firm, gets police visit

Powered by SC Magazine
 

Millions exposed by super hole.

A security researcher was questioned by NSW Police after quietly reporting a massive security gaffe to First State Superannuation that potentially exposed millions of customer accounts.

Patrick Webster found he was able to access electronic superannuation notices of any customer by changing numerical values in URLs used to issue statements to clients.

Webster, a customer of First State Superannuation and consultant at OSI Security, increased the URL number value by one and was granted access to a former colleagues' super statement.

He was shown information such as name, address, date of birth, next of kin and superannuation payments.

He notified his colleague, also a security professional, and reported the direct object vulnerability to First State Superannuation the following day on 23 September.

Webster said the company thanked him for reporting the issue and fixed the flaw within 24 hours.

He previously did not publicly disclose the vulnerability.

But as first reported by Risky Business, NSW Police had appeared on Webster's doorstep at around 9pm to investigate the incident.

"They said the [superannuation] company had reported that I had accessed accounts and they were there to investigate," Webster told SC.

He said police could not say if charges would be pressed.

NSW Police detective inspector Paul McDonald from the Rocks Local Area Command was aware of the incident but could not immediately answer questions whether it would be investigated further.

Webster, a former civilian senior security analyst with the NSW Police, explained to Burwood police who attended last night that he did not steal or compromise customer information.

First State Superannuation did not respond to requests for comment to confirm that it called police nor explain why it may have done so.

However a letter from the company's administration manager Patrick McGoulrick to customers posted on Risky Business (pdf) acknowledged and apologised for the gaffe. 

McGoulrick told customers that "the incident was not the result of a targeted attempt to access your statement or account details" adding that Webster had "not retained any details of your statement or account".

Webster said it could be extremely difficult to determine if any of the millions of accounts had been accessed by fraudsters.




http://www.osisecurity.com.au/OSI Security

Copyright © SC Magazine, Australia


Researcher discloses vulnerability to firm, gets police visit
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 433

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 209

Vote