Security logic flaws - Real world examples by Bill cory
* Yahoo had a promotional offer where if you deposited USD $30 into an advertising account, Yahoo would then add an additional USD $50 to that account. The sign-up process was able to be circumvented in such a way that failing to deposit the requisite USD $30 still allowed the additional USD $50 to be credited to the account.
Yahoo SEM Logic Flaw
http://ha.ckers.org/blog/20080616/yahoo-sem-logic-flaw/
* Tower Records' form validation assumed that the user would fill out a form in the order presented, but in reality, some users filled out the bottom portion first, causing a bug that wasn't caught during development and resulted in the loss of sales.
Tower Records Tunes Its Site
http://www.storefrontbacktalk.com/story/021005tower.php
* YouTube restricts some videos to users that are 18-years-old and older on their site. However, if the same video is embedded in another site, then the process that filters the videos is bypassed, allowing anyone of any age to view the video.
Youtube’s 18+ Filters Don’t Work
http://www.darkseoprogramming.com/2008/06/01/youtubes-18-filters-dont-work/
* Facebook restricts access to private user pages, but there have been incidences where an attacker can replace the user ID in the URL with a victim ID, thereby circumventing the security measures. Two examples include accessing private photos and accessing private fan pages.
Peekaboo! Facebook fills photo security hole
http://news.cnet.com/8301-1009_3-10042909-83.html
Hole unveils Facebook fan pages
http://news.cnet.com/8301-1009_3-10046932-83.html
* E-trade and Schwab failed to limit one bank account to any given user, allowing an attacker to assign the same bank account to tens of thousands of users, resulting in a loss of USD $50,000.00.
Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits'
http://blog.wired.com/27bstroke6/2008/05/man-allegedly-b.html
* AT&T offered free wi-fi service to iPhone users, but to distinguish the iPhone users from the rest, AT&T used the user-agent and an iPhone phone number to determine who received the free service. By changing the user-agent and providing a phone number to any iPhone account, users of other devices were able to obtain free wi-fi service.
Apple and AT&T providing free Wi-Fi access to iPhone users and oops… to everyone else as well!
http://blogs.zdnet.com/security/?p=1067
* MySpace restricts access to private user photos, but when they launched a new service that allowed sharing of data with Yahoo, the process contained a flaw that allowed access to private user photos via Yahoo.
Paris and Lindsay Hacked Again (There’s a Lesson Here, Really)
http://blogs.wsj.com/biztech/2008/06/03/paris-and-lindsay-hacked-again-theres-a-lesson-here-really/