Scotland's oldest newspaper exposes readers' smalls in public Scottish newspaper The Aberdeen Press and Journal inadvertently made it easy to harvest sensitive information about registered users from its site as a result of a basic information security mistake. Registered users are presented with stories an a URL along the lines of http://www.pressandjournal.co.uk/Article.aspx/815191? …
This post has been deleted by its author
One of the reasons I never fill in web forms with truthful information.
I do not trust the Internet. I do not trust businesses with personal information.
When I first started using the Internet, I though that I was maybe being a little paranoid. As I have grown to understand the underlying technology I realise that I was being astute.
Humans make mistakes, I have made many, I expect I will continue to do so. As the technologies behind the Internet become more complicated and connected, I expect more will be made. But this is a silly mistake, Cisco made a similar error with http access to their routers in IOS 12.0 and earlier.
indeed, not like firebug reveals form data ;-)
only thing that offers any (albiet not a great deal of) protection, is https with asymetric encryption for the data, and then you are vulnerable to unupdated debian ssl flaws, man in middle and playback attacks
never mind the ease of snarfing over wifi, (think shouting your pin number in a crowded room, and ur halfway there)
do think there should be a license or something required to create systems which handle public data, at least that way the only excuses are apathy and laziness, instead of ignorance and incompetance
I did a similar thing on the capitalone website around 2004 - in the secure message part of your account manager I clicked on a message, then edited the message ID in the url to random numbers. I was happily able to view other peoples private messages with capitalone, even though I was clearly not the author. Appalled, I sent them a message, after receiving no reply or acknowledgement after days I rang, told them off and threatened to tell the papers unless they looked into it seriously. Within the hour the site was down for maintenance!!! Never heard from them again, but the problem was fixed when they were back online. :)
This post has been deleted by its author
"Using the HTTP Post method of encoding a database query would have meant that a requested page comes with a URL that looks like gibberish, effectively eliminating the problem of URL manipulation"
errrr... did this line come out of a gibberish generator? This means nothing to me. Should it?
Anyone care to explain?
"In reporting on previous instances of URL mainipulation we've been told that using the HTTP Post method of encoding a database query would mean that a requested page comes with a URL that looks like gibberish, reducing the problem of URL manipulation."
Whoever told you that should in no means be let anywhere near a web site. Using the HTTP POST method sends the query in the body of the request instead of the URL. It means URL manipulation is no longer possible, although content manipulation is still possible for those who know enough. Many websites continue to use GET and simply use some form of encoding/encryption to make the URL hard for a human to parse. That's hard, not impossible. The best answer right now, of course, is complete encryption and POST -- but as with most best practices, it's pretty much ignored.
"All of the above, but it is a local paper after all. P&J has always been so, but rags like the "Mearns Leader" take the biscuit in the parochial stakes."
Clearly you have not read the Caithness Courier or its sister paper, the John O Groat journal.
30% gossip heard outside the sherrif court, 20% gossip heard in the pub, 40% adverts and 10% of actual news. Any news that they can attach to Wick and Thurso. Normally involving Caithness And Sutherland Enterprise shoving more money into the area attempting to redevelop the area. Badly.
Only the obituaries and marriages are almost always accurate, and even they are fallible...
If the previous poster had said that the JOGJ/CC had the Titanic headline, I'd have believed it without hesitation because that's *exactly* what it's like.
As local papers that far north go, I can say with some authority [as one of the few locals who can read thanks to not being horrifically inbred...] that the P+J isn't actually too bad as a source of news, but I'd never read it if there was a Times available...
Steven R
Once at university I had access to microfilm of the P&J archive and the Titanic story is just a myth. The timing of the sinking (morning UK time) made it far too late for that day's paper and the next day there was full and sensible coverage.
The story should be about the declaration of World War One where the headline of the day is
"Giant Turnip Found At Turriff"
Don't know why everyone's having a pop at Northern local papers. They're all like that, it's their job to be. I read the London Evening Standard once. It was full of stuff about London! It was like the rest of the country didn't exist!
As for this story; anyone who registers with a newspaper website and supplies accurate and confidential information.. well, I'll not say they deserve it, but what exactly are they thinking? Just because a newspaper has the nerve to ask for your home address and mobile number doesn't mean you have to give them it.
post is meant to be used when the server state changes.
get is used to retrieve a URL based on parameters.
Both can be affected by a lone cracker, get is arguably simpler as you can mainpulate directly in the browser, but of course a cracker can create a program to send crafetd post requests.
In an earlier infomercial, the art of self defense in the browser I think it was called, the author said a problem with a certain site was that a call to a url could be embedded in an external page causing the external site to change account information.
Now, those calls tend to have to be get requests, post requests are not sent automatically via the browsers to another domain. So, in that instance requiring a post would have helped (not made secure but helped).
See, they could have made you fill in a form or cloaked a form as a button, but less chance of an exploit then as it would require user interaction. And of course there is the possibility of using an iframe and an auto submission, could work, would be more obvious though, and would be considered a security hole, therefore a candidate to be patched. Whereas, accessing a url via get should be harmless, because it is not meant to change server state, see how all this works.
But in this instance, post or get it doesn't matter.
Browser security is really based on what does the user allow, that's why the confirm boxes are not really customizable so people cannot switch the ok and cancel around. And that's also why the mouse cursor cannot be moved all round the browser anymore :) Well maybe IE still allows that.
I have lost count of the bozos who think mixing post and get requests is a good idea. Break the model if you like, it is breakable but of course people base security around the model.
Anyhow, the golden rule is never trust the information sent, and verify the place it is sent from, if the system is open to abuse. Amazon one click is an example of something that could be quite easy to abuse or not depending upon how they verify the request.
And whilst we are on the subject, if you are using javascript, then it makes verification simpler and more robust, states can be changed depending upon page exit and tab currently being viewed, so it does amuse me that people advise noscript because in some instances they are lowering their security potential.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
