so does this explain the unauthorised usages on the missuss credit card then?
No, this time its not a joke!! any other JLP card holders had similar?
HSBC has finally fixed a bug that allowed web surfers to browse the directory structure of a supposedly secure website it helps to run. The John Lewis Partnership card secure website (a joint venture with HSBC) allowed the curious, and potentially malicious, to peek into its underlying structure. "Great if you were planning a …
I'm somewhat confused. Why would `leaking' the directory structure of your site be considered a security flaw? As an analogy, one would never consider `leaking' the layout of a building as a security risk*.
* Unless you are the developer of Terminal 5 and for some reason believe this information is top secret... Possibly under the assumption that no one will ever walk around the building....
(1) Access to directory listings of the web site can reveal pages that are not linked in. Perhaps the document with the turnover figures that will be released at noon. Perhaps ini files or server side include files with configuration or authorisation details.
(2) Access to directory listings shows that their system build, configuration and testing process is flawed. If they missed and obvious thing like directory listing what else did they miss.
depends on your definition of "work". It means any flaws are hard to find. This is a good thing. It gives you more time to find and fix flaws, and means some flaws might never be discovered by baddies at all.
What it is NOT is a substiture for fixing and finding flaws. It's a barrier that will keep out rifraff and cause more determined attackers to take more time and possibly be more noticable. These are all good things.
The "security by obscurity" mantra only really applies where people use attempted obfuscation INSTEAD of other methods. and in some fields (cryptography) it is much more beneficial to expose your alogrithm to scrutiny to hammer out the bugs - but you still hide your key, don't you? ;)
Biting the hand that feeds IT © 1998–2021