Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

German Survey Company Loses 41,000 Survey Records

timothy posted more than 6 years ago | from the entschuldigen-bitte dept.

Privacy 122

mister_woods writes "It's not just governments that lose private data. Germany's Chaos Computer Club (CCC) reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants. By simply changing the customer ID number in the browser's address bar access could be gained to comprehensive survey results, including names, addresses, dates of birth, email addresses, phone numbers and much more sensitive data. A CCC spokesman described this as 'unprofessional, grossly negligent and above all deeply worrying' and sees this loss as a vindication for its calls for strict regulations for public and private sector data collectors."

Sorry! There are no comments related to the filter you selected.

4chan (0)

Anonymous Coward | more than 6 years ago | (#24079539)

if they need to find it they should just keep an eye on 4chan, someone will post it there in a few days

How pathetic (2, Insightful)

Darkness404 (1287218) | more than 6 years ago | (#24079557)

How pathetic that these are the very sites that they make you have some ultra-secure password for because there is so much personal information on it and may even boast that the servers are stored in some nuclear bunker and mirrored in every country but yet they can't even enforce decent security on the site itself.

Re:How pathetic (2, Insightful)

Anonymous Coward | more than 6 years ago | (#24079627)

I can get my f'ing medical records over the phone with 1/8th the information i need to even pay my f'ing cell phone bill.

Re:How pathetic (4, Funny)

omeomi (675045) | more than 6 years ago | (#24080165)

Well, I certainly won't be completing any more German surveys...

Re:How pathetic (2, Interesting)

Opportunist (166417) | more than 6 years ago | (#24080763)

Wrong. You can still complete any surveys you want.

Just fill in wrong info. There's only one thing worse than having no information for a data collector: Being unable to discriminate between good and bogus data. It poisons your whole data pool.

Re:How pathetic [pollute information] (0)

Anonymous Coward | more than 6 years ago | (#24082073)

I entered an incorrect age (much older) on several online surveys and now get AARP and Depends adverts on my spam e-mail account. I wonder what would happen if I started entering requests for information along the lines of "like an elephants trunk"? This is like using the TrackMeNot firefox add-on to pollute web search tracking. I just let it run day and night.

Re:How pathetic [pollute information] (1)

Opportunist (166417) | more than 6 years ago | (#24083097)

A while ago, I started using some fake names for online surveys, then I added the name to my spam filter.

I get a whole lot less spam now.

Re:How pathetic (0)

Anonymous Coward | more than 6 years ago | (#24080879)

I earn about $200 in cash and gift cards each month by taking surveys, plus maybe $5-10 in free products to test. None of these sites ask you for an "ultra-secure" password. One site even limits you to 8 characters. I would not be surprised to see "password" accepted as a password.

These sites are poorly put together and it is the rare survey that utilizes HTTPS. From what I can tell, these sites play fast and loose with your data.

As with any site, the real trick is to only give them the information that is actually necessary and fake any information that is not necessary. (Hint: No one needs your exact date of birth to fit you into the 18-25 year-old demographic.) And, of course, any information you're not comfortable falling into the wrong hands, simply don't share.

Another day, another data leak. (5, Insightful)

inotocracy (762166) | more than 6 years ago | (#24079587)

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note [attrition.org] .

Re:Another day, another data leak. (5, Funny)

Hal_Porter (817932) | more than 6 years ago | (#24079781)

What are you worried about? It's just bits. Information wants to be free. It's not like you own it or anything. Complaining about it being posted on the net will just lead to the Streisand Effect.

Everyone knows that security through obscurity is a bad model. In the Web 2.0 world the only sustainable business model is to make your Social Security number public and sell support on people who want to use it. E.g. if some dude in Nigeria is trying to apply for a credit card in your name he might get asked about your postal address and secret codeword. You could make a few bucks if you gave him the information, more if you applied for the credit card for him yourself.

And don't try to encrypt stuff. Studies show that 95% of Nigerian phishers want DRM free personal information.

Re:Another day, another data leak. (5, Insightful)

jlarocco (851450) | more than 6 years ago | (#24080009)

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note.

Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up. If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy. A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.

Re:Another day, another data leak. (1)

inotocracy (762166) | more than 6 years ago | (#24080241)

A large fine might help a bit with their security practices and prevent some of these incidents. Sure, there will still be accidents like these, but they may be further apart and less severe. Its pretty common to read about some employee losing a laptop, or tape drives containing large amounts of private information.

If they had stricter policies about data leaving the compound, or at least encrypting whatever media its on, a lot of this stuff could be avoided. There is no reason for companies to take this too seriously since they can just say "my bad" and its business as usual again.

Imagine if the company had to pay a fine of $5,000 or more, per customer involved in the data loss. My guess is they would be a bit more careful.

Re:Another day, another data leak. (1)

jlarocco (851450) | more than 6 years ago | (#24080843)

There is no reason for companies to take this too seriously since they can just say "my bad" and its business as usual again.

You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be? You wouldn't give your car keys to a known car thief, so why will you give your private data (and money) to a company with a history of data loss?

It's our responsibility as consumers to punish companies that lose our's and other people's data by no longer doing business with them. We don't need the government looking over everybody's shoulder making sure we're all being treated okay. Believe it or not, it's up to us to look out for ourselves sometimes!

Imagine if the company had to pay a fine of $5,000 or more, per customer involved in the data loss. My guess is they would be a bit more careful.

My guess is they'd charge $5000 more per customer, for "extra security." And then lose the data anyway.

Re:Another day, another data leak. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24081281)

You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be?

It's you who 'doesn't get it'. Virtually all such companies appear to be equally careless with their customer information. And the 'full disclosure' of such data losses, which would be required if you were to have any chance of punishing the 'bad' companies does not exist. As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better. This is the sort of thing where legal sanctions *are* necessary.

Re:Another day, another data leak. (1)

jlarocco (851450) | more than 6 years ago | (#24081445)

As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better.

Oh shut the fuck up. Nobody is forcing you to buy stuff. Like this survey company goes around, holding people at gunpoint, telling them to give out their private info and take a survey? Give me a fucking break.

Can you provide even a single example where you simply *had* to buy some product or service from a company with poor data security.

Re:Another day, another data leak. (1)

Nursie (632944) | more than 6 years ago | (#24082069)

Yup, the government. You're forced to give them data and they keep losing it. Other than that I'd like to ask how it is that you can know in advance which company is going to lose your data?

It's only your responsibility to keep your details secure if you have prior knowledge of what's going to happen to them. This is one reason why there should be legal protections.

Another is that companies will often change their behaviour for the worse, especially in times of financial difficulty. There need to be legal provisions in place to stop them selling data on.

Re:Another day, another data leak. (1)

AlecC (512609) | more than 6 years ago | (#24082299)

Most of the recent data losses in the UK have involved government data. One was for the agency paying support to poor families - they *need* that money and cannot go elsewhere. Another was the Army recruitment department: if you want to join the Army, there isn't another one you can choose because this one had poor data security.

Re:Another day, another data leak. (1)

mpe (36238) | more than 6 years ago | (#24082557)

It's you who 'doesn't get it'. Virtually all such companies appear to be equally careless with their customer information. And the 'full disclosure' of such data losses, which would be required if you were to have any chance of punishing the 'bad' companies does not exist.

It may even lead to those companies who are best at hiding it to appear to be the best.

As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better. This is the sort of thing where legal sanctions *are* necessary.

The problem with legal sanctions is that the worst offenders include government and government contractors. Where there is quite literally no competition.

Re:Another day, another data leak. (1)

FireFury03 (653718) | more than 6 years ago | (#24082123)

You wouldn't give your car keys to a known car thief

But you would give your car keys to the garage who's servicing the car. If they fail to secure the keys properly and someone steals your car then why shouldn't the garage be held responsible?

Re:Another day, another data leak. (1)

ultranova (717540) | more than 6 years ago | (#24083471)

It's our responsibility as consumers to punish companies that lose our's and other people's data by no longer doing business with them. We don't need the government looking over everybody's shoulder making sure we're all being treated okay. Believe it or not, it's up to us to look out for ourselves sometimes!

I don't know if you realize this, but in a democracy, the government is us. It is our servant, created for the specific purposes of dealing with antisocial behaviour and looking after us. It is perfectly valid to delegate the task of dealing with companies and forcing them to behave to the government.

It is natural in human societies for leaders to arise; hell, by promoting a course of action - boycotting these companies - you are setting yourself up as a leader. And a government is simply leadership made official, which means that its powers and responsibilities have been clearly defined, as is the process amending those definitions should the need arise, as well as the process of replacing the current leaders with new ones. It is foolish to suggest that cooperation - the tactic which has served us for millions of years and made us the undisputed rulers of this world and of which modern governments are perhaps the most evolved example - shows unwillingness to take personal responsibility.

It isn't a matter of having someone look over your shoulder, it's the matter of having someone cover your back.

Imagine if the company had to pay a fine of $5,000 or more, per customer involved in the data loss. My guess is they would be a bit more careful.

My guess is they'd charge $5000 more per customer, for "extra security." And then lose the data anyway.

It must be one altruistic company, then; for surely a for-profit corporation is already charging the amount that will maximize their profit, so only an altruistic company dedicated to the well-being of its customers over the profits of its shareholders would be able to pass fines to said customers. They could get $5,000 more per customer while still retaining their userbase, and yet they aren't doing so; truly they have a heart of purest gold, if not a wallet full of it.

The claim that "customers pay the fines" is simply rubbish. It is no doubt spread by the very companies who know they deserve to be fined to try to persuade the public opinion against imposing those fines, but a very basic analysis shows that it is impossible for a for-profit corporation to pass the fines to its customers, because it is already taking all it can from them. No, fines hurt the company shareholders, just like they should.

So fine the bastards until they learn their lesson or go bankrupt. Forcing people to care about the consequences of their actions to other people is exactly what the legal system is supposed to do.

Re:Another day, another data leak. (0)

Anonymous Coward | more than 6 years ago | (#24080647)

Fine the companies? The root problem are the idiots that fill out these forms. Just fine these form-filling morons into oblivion and push them into bankruptcy. Oh Wait, I guess that happens already, and the soup lines will soon be full. Soilent green, It's made of unemployed people!

I think a fine would help... (2, Insightful)

Joce640k (829181) | more than 6 years ago | (#24080983)

Then again, a fine won't help much because the people responsible wouldn't pay it, they'd just move to another company after this one went bust.

What's needed is a short stay in prison for the CEO responsible for overseeing the project.

A couple of convictions would see every company in the country take their data offline until some real security consultants were consulted.

Re:I think a fine would help... (1)

AlecC (512609) | more than 6 years ago | (#24082331)

That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression. Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.

Re:I think a fine would help... (1)

drinkypoo (153816) | more than 6 years ago | (#24082959)

That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression.

If the bank is that fragile it's doomed anyway. He could also get hit by a bus.

Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.

It's about the smartest thing we could do in the USA, but we'd have to put the whole fucking cabinet in there with him.

Re:I think a fine would help... (1)

AlecC (512609) | more than 6 years ago | (#24083091)

That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression.

If the bank is that fragile it's doomed anyway. He could also get hit by a bus.

Getting hit by a bus does not imply criminality. It is the implication that the organisation has had a crook at its head which does the harm, not the departure of any single individual. Bankers work very hard to look respectable, hence the marble foyers and double breasted suits (not both worn at the same time).

Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.

It's about the smartest thing we could do in the USA, but we'd have to put the whole fucking cabinet in there with him.

Far be it from me to disagree..

Re:Another day, another data leak. (1)

neumayr (819083) | more than 6 years ago | (#24081469)

In this case, "driving them out of business" might be a little harder than you might imagine - they're a huge company with 14k employees in 70 countries, and their customers are governments, companies and press agencies.
Those people whose data they lost are not their customers, and even if they were - 5 minutes/hours/days of research wouldn't have helped them, as this security leak was not published before and they don't have a history of (published) data loss.

Re:Another day, another data leak. (1)

maguz (451672) | more than 6 years ago | (#24081495)

Financial punishment imposed by government would be a good indication for the public as well that the particular company screwed up. The bigger the sum, the better headlines.

Many areas of technology are strictly regulated. Are there any specific obstacles in information technology area for having such regulations?

Re:Another day, another data leak. (1)

leomekenkamp (566309) | more than 6 years ago | (#24081741)

Joe Sixpack would not recognize a privacy issue if it was dancing on a table, wearing a pink tutu and singing "Privacy issues are here again.". Most people would not even know where to start looking for companies' track records on data safety. Most people simply look at cost (and maybe direct value) of the products they want.

A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.

Yes, it would lead to increased pricing, which would drive customers to other companies. Exactly what one wants.

Re:Another day, another data leak. (1)

ubrgeek (679399) | more than 6 years ago | (#24081853)

The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.

Let me know how that works out for you. Companies that provide/are supposed to protect medical history? Companies that provide/are supposed to protect medical history? Not likely to happen. The only way - and you can be sure that, regardless of the country in which this stuff happens this won't become required - to make a dent in this stuff is to mandate prison time for senior management. What's that? The CTO doesn't know enough about computers to make sure the database his folks built is secure? Mandate third-party audits for any product that is designed to store privacy information. Is that a guarantee that it'll work? Nope, but it's better than nothing.

Otherwise, grow up. "Voting with your wallet" doesn't work if a company like Nike loses your personal information. In their mind, your wallet contains pocket change.

Re:Another day, another data leak. (1)

Tikkun (992269) | more than 6 years ago | (#24082549)

Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.

Just like how consumers don't buy gas from Exxon-Mobile anymore after they spilled lots of oil in Alaska.

Re:Another day, another data leak. (1)

BrunoUsesBBEdit (636379) | more than 6 years ago | (#24084343)

If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy.

These are the same consumers who tolerate IE. When have lowered the barriers to entry such that the markets are broken. I don't know the answer, but the problem is obvious to anyone other than the layman.

Re:Another day, another data leak. (5, Insightful)

Rakishi (759894) | more than 6 years ago | (#24080051)

Well the amount of data leaks would suddenly drop since companies would suddenly overlook it when data goes missing. After all they thought it was an empty hard drive and they'd be just as confused as everyone else when it turned out differently. In other words they'd simply not report them because reporting them would automatically give them a fine. So consumers get screwed in the end because they don't even get alerted when their data is stolen.

Re:Another day, another data leak. (1)

Sky Cry (872584) | more than 6 years ago | (#24080955)

So make any unreported leaks fined by a considerably greater amount, once uncovered.

Re:Another day, another data leak. (1)

OzoneLad (899155) | more than 6 years ago | (#24083213)

So make any unreported leaks fined by a considerably greater amount, once uncovered.

This will just turn into another exercise in cost/benefits analysis for them. If they figure they'll get caught one time out of twenty and that the fine for non-disclosure is ten times larger than the normal fine, they'll opt for being sneaky bastards every single time.

there already is to some extent (2, Interesting)

Trepidity (597) | more than 6 years ago | (#24080503)

Apart from certain areas (possibly medical records) there aren't statutory fines, but companies can be held liable if through their negligence something bad actually happens. To reduce the chance of that happening, many spend money on pro-active measures immediately after a leak, which is in some ways a "fine", in that it costs them money, and so they rationally would like to avoid it happening. For example, after a former university of mine misplaced a bunch of records, they paid for two years of identity-theft and credit-monitoring through some service for everyone who was affected.

Re:Another day, another data leak. (1)

Joker1980 (891225) | more than 6 years ago | (#24081937)

Its been said before, $1 million fine per piece of personal data lost, it would stop being collected by the end of the week.

Not "Lost" (4, Insightful)

mrroot (543673) | more than 6 years ago | (#24079661)

it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures. Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.

The data was not lost, they failed to secure it. There is a difference between the two, although it doesn't make it any less of a problem. But headlines like this are misleading.

Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

Try not to miss the point. (1)

freenix (1294222) | more than 6 years ago | (#24079743)

Every person who's private information may have been exposed should be informed. The company screwed up in a way that could cause people who trusted them a big problem. The least the company should do is notify the victims. They should also set aside funds and resources to help anyone who is defrauded as a result. A class action suit might convince companies to do these minimal things.

EU privacy laws are about to take a dive [guardian.co.uk] , so citizens and customers will be shafted more often.

Ultimately, this will cause great harm to all commerce. If enough innocent people get shafted, others will lose confidence.

Moderators: Please note (0)

Anonymous Coward | more than 6 years ago | (#24080521)

Please do not grant moderation points to the person posting under this account. Read this [slashdot.org] before you do.

Re:Not "Lost" (0)

mrbluze (1034940) | more than 6 years ago | (#24079757)

But headlines like this are misleading.

This is slashdot. What's your point?

Furthermore the 41,000 number is misleading

See above. You must be new here ;)

Re:Not "Lost" (4, Interesting)

icepick72 (834363) | more than 6 years ago | (#24079993)

Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

Because companies who write code that badly also don't keep web logs.

Re:Not "Lost" (0)

Anonymous Coward | more than 6 years ago | (#24080755)

No, the 41,000 number is not misleading.
The CCC did access and download 41,003 profiles.
Read about it in the german PDF (Link at the end of the page).

Re:Not "Lost" (1)

Opportunist (166417) | more than 6 years ago | (#24080777)

Ok. So 41,000 could have been viewed, but only yours was.

Feeling any better now?

Re:Not "Lost" (1)

neumayr (819083) | more than 6 years ago | (#24081491)

In the linked (german) article they explained how they got access to 41000 data sets.
Of course, that's no evidence, but what are they supposed to do? Publish them?

Re:Not "Lost" (0)

Anonymous Coward | more than 6 years ago | (#24083025)

Exactly, they are not lost. I made a backup... (Indeed the 41,000 figure IS accurate ;-))

Horrible article title. Loses --- Exposes (5, Informative)

Noodles (39504) | more than 6 years ago | (#24079677)

German Survey Company _Exposes_ 41,000 Survey Records would convey the real meaning of the article.

Re:Horrible article title. Loses --- Exposes (1)

martin-boundary (547041) | more than 6 years ago | (#24080081)

Or simply:

TNS Infratest/Emnid has lost control of 41,000 private data records.

Re:Horrible article title. Loses --- Exposes (3, Funny)

Tablizer (95088) | more than 6 years ago | (#24080163)

Or simply: TNS Infratest/Emnid has lost control of 41,000 private data records.

Nah, "exposes" creates more vivid mental images.
     

Re:Horrible article title. Loses --- Exposes (0)

Anonymous Coward | more than 6 years ago | (#24080477)

so does "lost control."

Re:Horrible article title. Loses --- Exposes (1)

Tablizer (95088) | more than 6 years ago | (#24080979)

Naw, more likely to think its about the Whitehouse.

Re:Horrible article title. Loses --- Exposes (1)

Opportunist (166417) | more than 6 years ago | (#24081019)

OMG, data porn!

41,000 records doing it just for you, they have no shame and show you anything. Sign up now!

Given the behaviour of our governments, I'm sure some proffessional paranoiacs would get an instant boner.

Re:Horrible article title. Loses --- Exposes (1)

shri (17709) | more than 6 years ago | (#24081331)

TNS is a worldwide company. I'd seriously hope that they don't use the same software everywhere in the world.

Re:Horrible article title. Loses --- Exposes (1)

bdraschk (664148) | more than 6 years ago | (#24082239)

While /. headlines are often called inaccurate, this time it's not the fault of the contributor. Both versions (English and German) of the article at ccc.de claim the data was "lost".
The article on heise.de referencing this does not mention any losses.

The Same Problem, Yet Again (0, Redundant)

ThinkComp (514335) | more than 6 years ago | (#24079689)

I've written several white papers [thinkcomputer.com] and op-eds [aarongreenspan.com] about how this problem has affected various companies and government entities. Sadly, it never seems to go away.

You know (2, Funny)

Iamthecheese (1264298) | more than 6 years ago | (#24079713)

that the expensive webmaster you just hired is actually a drunken lemur in disguise when...

Re:You know (2, Interesting)

Opportunist (166417) | more than 6 years ago | (#24080837)

Expensive webmaster?

I'd rather guess they signed up one of those very unemployed and very desperate people that took some distance learning course during the dot.com bubble in hopes of getting the big bucks, something they couldn't at the janitor or bricklayer position they had before.

You'd be amazed how many people consider themselves a "systems administrator" today because they can click together a halfway decent network connection with the XP net wizard, but have not a hint of an idea what security is about, or how to keep people from viewing data they should have no access to. The way this was "hacked" shows it far too well.

I'm doing security audits. You would be amazed how many companies, even companies that actually do have some security conscience due to self interest (read: when their data is on the loose, they lose money because they actually want to sell that data), lack in security. There's servers with public access that are "free for all" (sure, there's login and everything, but failure to login does not keep you out), you have examples like the one here (if you have access to one set of data you have access to all of them if you know how to access them, and choosing a different user ID isn't rocket science), the list goes on.

The problem isn't that companies wouldn't want to have security. The problem is just that few are willing to pay for it. In comes some cheap moron that claims he can, and he spews that in the face of a boss who readily believes that TCP is some sort of three letter agency, so he gets signed up.

This is what's wrong here. I'm the last person asking for some sort of certificate (most of the IT certs you can get today are more the kind of "dump money here, pull cert out there"), but as long as the people hiring security personnel have no idea about security themselves, snakeoil vendors will have an easy life.

CSI my city (1)

ILuvRamen (1026668) | more than 6 years ago | (#24079771)

Okay let's pull some CSI crap and go back in time. I can hear it now! "Naw, just code it in a GET, that's easier. Nobody will ever just type something" (except in German obviously :P)

That's nothing (5, Informative)

Anonymous Coward | more than 6 years ago | (#24079841)

I used to work at a web design agency a few years back. They had a single shopping cart system that they "re-used" (read: copy & pasted then altered to suit the site in question) for dozens of e-commerce sites. After processing an order, it would display the customer's entire details, including credit card information and billing address. Yes, it was vulnerable to this exact flaw. Increment/decrement the order number, and you get to see somebody else's details.

That's not the worst bit. The worst bit is when they "fixed" it. They did so by changing it to a POST request instead of a GET request, meaning the ID number didn't show up in the address bar. It was still just as vulnerable, it's just not as "discoverable" to the clients as it was before.

Posted AC because the company is sue-happy about former employees.

this is how common it is.. (2, Funny)

swordfishBob (536640) | more than 6 years ago | (#24079915)

It is established that an amazing (unknown)% of survey data is lost or released to unauthorized recipients. We'd tell you the percentage, but we lost the laptop with all records at the airport.

Re:That's nothing (1)

Opportunist (166417) | more than 6 years ago | (#24080971)

You could easily have posted it under your name. This is by far not the only company that has this problem, you could easily claim you were talking about a completely different company and ... hey, why do YOU sue, don't tell me YOU had that problem too! :)

Solution: don't hand out your data (3, Insightful)

nathan.fulton (1160807) | more than 6 years ago | (#24079887)

I'm not going to get into a debate over consumer and business responsibilities, but it seems to me that at a certain point, you just have to be constantly vigilant and aware if you want your data to be secure. This is a perfect example -- you don't have to take surveys. What's the benefit?

Re:Solution: don't hand out your data (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 6 years ago | (#24079955)

Easy enough in this particular case, surveys are largely optional. Absolutely useless in the general case, though. I don't get to opt out of government data collection and storage, opting out of data collection and storage by utilities and financial institutions is possible but for most people only in a theoretical sense.

This is a rather weak special case, I agree; but it points to no general form ability to control disclosure of your data to a variety of entities. Thus, the only effective measures to prevent data leaks have to involve the storage end(and, ideally, lots and lots of punishment). Perhaps an online "pictures, names, home addresses, phone numbers, emails, social security numbers, and CVs of people responsible for private data breaches" gallery would be in order?

OMG IE is a haxx0r. (1)

fuzzyfuzzyfungus (1223518) | more than 6 years ago | (#24079909)

Wasn't germany the country considering, or moving toward, some sort of draconian ban on hacking tools? If so, let's tell them that the URL modification trick only works in IE. Seriously, though, these constant data breaches are getting pathetic. Are we going to have to start shooting suits to get them to shape up?

Re:OMG IE is a haxx0r. (1)

Opportunist (166417) | more than 6 years ago | (#24080997)

Not just considering. They actually did it. Something their paranoid wheelchair didn't consider is that the internet doesn't care about borders, though, so it doesn't apply to me, and I can still provide security services for Germany.

But I think the URL line in browsers is soon to be outlawed.

Not the worst I've seen... (5, Informative)

Anonymous Coward | more than 6 years ago | (#24079939)

We recently left our CC processor (a major company, processing more than 10 billion a year). Their online CC terminal had this exact flaw. You can store customer info (CC, address, name, etc) and get a "customer ID" for that customer. Well... no checks in their system to assure that the "customer" was yours, so you could increment, decrement away and grab CC numbers to your hearts content (more than 25 million CCs in the system). You could even pass a random "customer id" to the billing portion of the system and bill a random person's CC, no checks in that part either.

When we alerted them to this flaw, they cut off our service and disabled all of our accounts and threatened to sue us for "hacking" their system. To this day I don't believe it is fixed.

Heartland payment systems is the company...

Really? (0, Troll)

a_claudiu (814111) | more than 6 years ago | (#24080457)

Maybe your story is true, maybe you are an AC from another company. I don't see why are you moded informative, in the moment when you are accusing anonymously without proof you are just a troll.

Re:Really? (2, Interesting)

Anonymous Coward | more than 6 years ago | (#24080641)

I posted anon because HPS is very very very sue happy, and I don't have the personal cash to front a law suit. What proof do you want? I will send you anything I can anonymously, but I won't risk a law suit from a company with more than a billion bucks in the bank.

We found this bug because our code that interfaced with their system had a small bug (transposed 0 and 1 in an array dereference) and we accidentally billed customers that were not ours through their system, called them about it, they were extremely combative, accused us of hacking, threatened lawsuits and shut down our account.

Re:Really? (1)

a_claudiu (814111) | more than 6 years ago | (#24080803)

I understand your reason for being AC and I even consider the story credible but I don't understand the reason for posting the company name.

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Re:Really? (2, Insightful)

pclminion (145572) | more than 6 years ago | (#24080817)

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Let them. That's not the AC's problem, is it?

Re:Really? (1)

badfish99 (826052) | more than 6 years ago | (#24081219)

If he leaves out the company name, it's just an amusing story but achieves nothing.
If he puts in the company name, it might just get seen by their customers, who might then take their business elsewhere, thereby solving the problem.

Re:Really? (1)

ArsenneLupin (766289) | more than 6 years ago | (#24082147)

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Public exposure. If they'd sue Slashdot, you'd be sure many more people would become aware of their lax security than if some barely read anon comment merely mentions their name.

Remember: reporting about a problem without having very solid proof is shaky legal ground. However, reporting about an ongoing lawsuit, including the subject of said suit, is not dicey, because court documents themselves prove that the suit exist. So basically, by suing Slashdot, they'd give not only Slashdot themselves, but also about any other news outlet carte blanche to air this dirty laundry...

"Bah" on Stupid Comments within Story Summaries. (3, Funny)

lancejjj (924211) | more than 6 years ago | (#24079953)

"It's not just governments that lose private data.

Golly, I just assumed that governments agencies, such as "TJX", "HSBC", and "Radio Shack" lose data.

Really, does the writer really think that Slashdot readers don't read Slashdot? TJX and HSBC certainly aren't part of any government, yet there have been numerous reports about the loss of a ridiculous number of records.

As for Radio Shack - I'm pretty sure that the government is propping them up. Then again, the government seems to be propping up banks too. OK, I stand corrected. Never mind.

Re:"Bah" on Stupid Comments within Story Summaries (3, Funny)

Frosty Piss (770223) | more than 6 years ago | (#24080135)

As for Radio Shack - I'm pretty sure that the government is propping them up...

CIA front. Didn't you know that's where all the terrorists buy their bomb parts? Why do you think they insist on such detailed contact info for a $1.50 purchase?

Re:"Bah" on Stupid Comments within Story Summaries (1)

drinkypoo (153816) | more than 6 years ago | (#24082981)

I suppose they get the other parts at Kragen, they always want my phone number. (I just tell them I'll keep my fucking receipt, unless it's on a lifetime part on a car I plan to keep, then sometimes I knuckle under and give it to them. They print that shit on thermal paper, the whole thing can turn black and then where is your warranty?)

Re:"Bah" on Stupid Comments within Story Summaries (1)

dontPanik (1296779) | more than 6 years ago | (#24083171)

Like anything at radio shack costs 1.50. A simple cable always seems to run me like 7.50

Re:"Bah" on Stupid Comments within Story Summaries (1)

east coast (590680) | more than 6 years ago | (#24080197)

Blind government bashing is so rampant around here that it doesn't even need to be true to get props from a lot of readers.

Re:"Bah" on Stupid Comments within Story Summaries (1)

FilterMapReduce (1296509) | more than 6 years ago | (#24080285)

Blind government bashing is so rampant around here that it doesn't even need to be true to get props from a lot of readers.

That's the government's fault.

Re:"Bah" on Stupid Comments within Story Summaries (1)

Opportunist (166417) | more than 6 years ago | (#24081009)

Well, that works the other way 'round too. Blind government bashing is likely to strike a target simply by there being so many that you're bound to hit one.

Not surprising (0)

Anonymous Coward | more than 6 years ago | (#24079981)

Unfortunately, I've seen things like this before. Agencies of some rather large governments are also prone to this sort of thing.

How many more cases? (5, Informative)

JayTech (935793) | more than 6 years ago | (#24080357)

Last year Global Test Market (www.globaltestmarket.com) had a similar exploit, which I found; I was able to access anyone's account information, including their password via their ID. I reported it to their IT department, it took them almost a month to fix. Everyone single one of their client's data on that site was exposed, and do you think the company notified the clients? Nope. It was as if they could care less. They never even gave me a pat on the back or anything. It's a wonder stuff like this doesn't happen more often, so many companies placing profits ahead of security.

Re:How many more cases? (2, Interesting)

cerberusss (660701) | more than 6 years ago | (#24081141)

Here's a nice test case: google for "customer login" and use the following password:

        ' or 1=1 and password='

I tried and within the first 50 hits I got in.

Re:How many more cases? (0)

Anonymous Coward | more than 6 years ago | (#24081301)

Indeed stupid that they do not at least say thank you and offer you something.

When I was working for an Internet Provider many years ago, a customer noticed that when you logged in on the X2 modems, you only needed a valid login. Logins where very easy to recognise (like user0001). This took USRobotics about a month to fix as the problem was there not with our radius.

I asked if they would give the person something, like a month or even a year free access, but nothing came of it, even though we know after investigation this was costing us serious money as many people used this.

I now feel sorry that I told this to the company, as the person wanted only to report it to me, not the company itself.

Posted anonymously, because I can imagine many people would still want to kick me for taking away their free access.

Re:How many more cases? (1)

neumayr (819083) | more than 6 years ago | (#24081543)

Why didn't you publish this?
Of course after giving them time to fix it, but a deadline gets things done faster.
Also, their customers might have liked to know their information should be assumed to having been compromised.

Re:How many more cases? (1)

JayTech (935793) | more than 6 years ago | (#24084765)

Good point, I didn't have an excuse not to reveal this information, which is why I made the previous post. But, I also didn't have a place to do it where people would actually listen; the places I posted to didn't care one iota, so I gave up.

GNAA lawnmower ate my penis bird (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24080361)

Government wants X at company Y, but doesn't want all of the red tape

-data spill-

Jackpot!

P.S. I like to suck cock

So easy to fix (1)

Heembo (916647) | more than 6 years ago | (#24080433)

Here, let me help you with a little psudocode:

String sUserId = request.getParameter("user_id");
int userId = 0;
try {
        userId = checkInt(userId);
        if (userId < 0) throw exception;
} catch (Exception e) {
        exit();
}
User user = (User)session.getParameter("current_user");
if (user.getId() != userId) {
        exit();
}

Re:So easy to fix (1, Informative)

Anonymous Coward | more than 6 years ago | (#24080513)

String sUserId = request.getParameter("user_id");
int userId = 0;
try {
                userId = checkInt(userId);
                if (userId < 0) throw exception;
} catch (Exception e) {
                exit();
}
User user = (User)session.getParameter("current_user");
if (user.getId() != userId) {
                exit();
}

The first line of your try block just runs a checkInt() on integer 0. Perhaps you mean to be checking sUserId rather than userId? Even once that issue is fixed, I don't see how your code snippet helps anything. For someone trying to help out with a security problem, you don't seem to be proving yourself to be very competent. :p

Re:So easy to fix (1)

Heembo (916647) | more than 6 years ago | (#24081923)

userId = checkInt(userId);

should be

userId = checkInt(sUserId );

This code checks that the userId from the request matches the current authenticated user in session. Thanks for your asshole comment. Have a nice day.

Re:So easy to fix (1)

Tweenk (1274968) | more than 6 years ago | (#24081939)

WTF? They should just use the session parameter to fetch the data, instead of putting this as a parameter. I can see a reason for this only if they use the same page to display info for admins who can view everyone. I have the impression that people are unwilling to trust the session mechanism, while I have built a site which uses it heavily and this allows me to simplify the code a good bit. I suppose the default session mechanism doesn't scale as well as putting everything in the request, but then you can write your own session handlers which use a DBMS of your choice.

Re:So easy to fix (1)

Heembo (916647) | more than 6 years ago | (#24081979)

Good point, I do agree with you that the userId should be taken out of the request and just pulled from session in many cases.

However, the userId might need to be implemented from the request as I have described in case you want to support administrative features where a superuser can access any account. That is why code of this nature is so common.

Re:So easy to fix (1)

Shados (741919) | more than 6 years ago | (#24082055)

Super users being able to access any account can still be done through session or other server side mechanism :) The product we worked on at my previous job worked like that, and it went quite well too :)

Re:So easy to fix (1)

Heembo (916647) | more than 6 years ago | (#24082339)

In order for a superuser to view or take over a specific user account; that superuser will need to select a user to view via some kind of request parameter.

Re:So easy to fix (1)

ultranova (717540) | more than 6 years ago | (#24085065)

However, the userId might need to be implemented from the request as I have described in case you want to support administrative features where a superuser can access any account.

Except that he can't, in your example, because a mismatch between the userId parameter and the user associated with the session causes the whole server to exit. Holy Denial of Service, Batman :)! Perhaps you meant "if (!user.isSuperUser() && !user.user.isId(userId))" ? Or perhaps even "if (!user.canAccessId(userID))" ? The last option pushes access control for users into the User class, where it IMHO belongs, rather than having it duplicated in every servlet.

In any case, it would probably be better to have a separate administrative utility, rather than mixing it with normal user code. That way there's less of a danger that you accidentally expose more functionality than you should to ordinary mortals.

Re:So easy to fix (1)

Heembo (916647) | more than 6 years ago | (#24085293)

> causes the whole server to exit.

Dude, I was writing pseudo-code. Stop being an asshole. The point I was making is that the code to solve an issue of this nature is trivial; I was not trying to make it perfect, hence the term pseudo-code.

However, I agree with you 100% that the administrative utility should be separated from the normal user account, and therefor the standard user page would only need to grab the userid from the session. You point well taken.

Also be wary of RBAC calls like user.isSuperUser(). Most productizied/enterprise applications really mandate data-layer-access control calls like:

user.hasAccess(entity, function);

If you start hard-coding roles into your application and need to change that policy, you will need to change code. But if you make calls like:

user.hasAccess(Organization(2), "editOrg");

you can then change your access control policy without needing to change code.

Re:So easy to fix (1)

ultranova (717540) | more than 6 years ago | (#24086333)

Dude, I was writing pseudo-code. Stop being an asshole. The point I was making is that the code to solve an issue of this nature is trivial; I was not trying to make it perfect, hence the term pseudo-code.

If pointing out your errors insults you, that is unfortunate; but it doesn't make me or anyone else an asshole.

And pseudo-code doesn't mean code that has logical errors, it means a step-by-step presentation of an algorithm that's easily turned into actual code. And your "pseudo-code" bears an uncanny resemblance to Java :).

However, you did certainly demonstrate why things like the article describes happen: trivial problems aren't necessarily so trivial to solve right, especially if the guy trying to solve them thinks they're trivial and not really worth giving much thought to ;).

If you start hard-coding roles into your application and need to change that policy, you will need to change code. But if you make calls like:

Yes, you are right, ACL's are better.

Not the worst I've seen... (1)

clint999 (1277046) | more than 6 years ago | (#24080795)

Or simply: TNS Infratest/Emnid has lost control of 41,000 private data records. Nah, "exposes" creates more vivid mental images.

Must be a fake (0)

Anonymous Coward | more than 6 years ago | (#24080799)

I thought incompetence and negligence was the sole province of government. This article must be a fake or the government must be to blame somehow

Google for "&user=" (1)

giafly (926567) | more than 6 years ago | (#24081689)

To find other sites that make the same beginners' error. Looks like mainly spammers selling blue pills.

Link [google.com]

Strict regulations? what a joke... (0)

Anonymous Coward | more than 6 years ago | (#24081789)

Call for strict regulations? come on, no regulation is going to make people smarter. The mediocre guys who made that web application are going to carry on producing crap.

If they did it on purpose, strict regulations would be a solution. It's just that they are stupid, there's no cure.

A Spokesman From The German Company Said.... (1)

pandrijeczko (588093) | more than 6 years ago | (#24085157)

"Vell, zats survey zese zings happen!"
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?