Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

AIB Security Issue

  • 19-09-2008 12:09pm
    #1
    kwikksilva
    Registered Users Posts: 44


    I found a major security flaw in AIB servers this morning. As an AIB customer, I called it in.

    I was able to browse their entire Content Management system.

    The guy on the phone said they would rectify it straight away.

    Now i'm thinking i should have charged a frickin consultancy fee...


Comments

  • #2
    cance
    Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭cance


    thats nice...

    <.<

    >.>

    :pac:


  • #3
    Biggins
    Banned (with Prison Access) Posts: 34,567 ✭✭✭✭Biggins


    Crikey. I hope no one took advantage of the loophole! shock.gif

    You should at least get something for being honest and taking the time to inform them!


  • #4
    egan007
    Registered Users, Registered Users 2 Posts: 2,934 ✭✭✭egan007


    Hope they take it more seriously than than Internet banking bug I reported.

    In Firefox 3
    Login to internet banking.
    Let it time out.

    The timeout does not complete properly.
    Click the back button - wallah - your statement on view!

    Aib said: This is a problem in the way FF3 handles sessions, they will wait for a FF fix.

    I explained that this is not the point, the point is that they have to work around it and guarantee that a timeout is complete on all browsers.

    Aib said: Meh...


  • #5
    kwikksilva
    Registered Users Posts: 44 kwikksilva


    Well, it still aint fixed... i guess they don't mind people browsing the content management system, if you could get past the login page, i'm assuming that you could change the content in production....


  • #6
    Biggins
    Banned (with Prison Access) Posts: 34,567 ✭✭✭✭Biggins


    It don't inspire confidence in them does it, if its still unresolved! terrified.gif


  • Advertisement
  • #7
    Sully
    Moderators, Education Moderators, Technology & Internet Moderators, Regional South East Moderators Posts: 24,056 Mod ✭✭✭✭Sully


    Reported a security issue to a local credit union (tho it applied to all credit unions that used the same system) where a hacker could view account details. Nothing was done.


  • #8
    Biggins
    Banned (with Prison Access) Posts: 34,567 ✭✭✭✭Biggins


    ...and then they ask us to put our faith in them! Yikes! shocked.gif


  • #9
    colly10
    Registered Users, Registered Users 2 Posts: 3,009 ✭✭✭colly10


    Well the issue is still there with aib, I don't see how it's dangerous though, I see nothing incriminating


  • #10
    Tenshot
    Registered Users, Registered Users 2 Posts: 648 ✭✭✭Tenshot


    In fairness, about three years ago I reported an ASP vulnerability to AIB's tech department and they had it fixed within the hour (literally!). I was quite impressed.


  • #11
    kwikksilva
    Registered Users Posts: 44 kwikksilva


    Well the issue is still there with aib, I don't see how it's dangerous though, I see nothing incriminating

    I guess it depends how much the hacker knows about their content mangement system.


  • Advertisement
  • #12
    Zascar
    Moderators, Motoring & Transport Moderators, Music Moderators Posts: 12,778 Mod ✭✭✭✭Zascar


    kwikksilva wrote: »
    I found a major security flaw in AIB servers this morning. As an AIB customer, I called it in.

    I was able to browse their entire Content Management system.

    The guy on the phone said they would rectify it straight away.

    Now i'm thinking i should have charged a frickin consultancy fee...

    How in the world did you do that? Obviously without giving too much away, how did you 'stumble' upon this flaw?


  • #13
    Biggins
    Banned (with Prison Access) Posts: 34,567 ✭✭✭✭Biggins


    Zascar wrote: »
    How in the world did you do that? Obviously without giving too much away, how did you 'stumble' upon this flaw?

    I don't know how he/she did it but I managed to do the same with Eircoms servers at one stage.

    I was on their site when their stuff on their page crashed my browser. I had to shut down and reboot. Started up their site again and examined some coding to discover what might have caused the crash.
    (I am being careful with details for obvious Eircom security reasons. Don't want anyone else managing to do what I did, on purpose)
    Anyway, I discovered a gaping hole in their security and to test it, went into their customer accounts section and made up a customer name to something really stupid and obvious. (I could have gotten into more)

    I informed Eircom of the massive, massive security hole. The chap on the other end of the phone was not impressed that I had spotted it. He didn't believe me that such a thing could be, so I told him to look up the unusual customer name buried somewhere and walla... he was astounded.

    I told him that I discovered it by accident (which was true), how to rectify it and left it at that.
    A week later, the security problem still existed - non-changed!

    Moral: You can only try to teach some people, if they won't listen - move you business elsewhere. I did, I moved to BT (a number of years now) and have no regrets yet.


  • #14
    rogue-entity
    Registered Users, Registered Users 2 Posts: 1,656 ✭✭✭rogue-entity


    I found what I believe the OP is referring to, and its probably not as big a hole as it seems, it is also pretty trivial to fix.


Advertisement