Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.
The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
I don’t know who these “security experts” are, but judging from the Times’ description of the attack, this non-security expert who’s actually written more than a few web applications calls this a heaping helping of bullshit. The Citi attack like a variant on the SQL injection attack, which is a well-know class of vulnerability (here’s a list of commonly-used attacks).
Citibank is just the latest in a series of web sites where budget cutting or general incompetence has led to massive breaches. Another good, recent example is the wholesale pwnage of various Sony units, some because Sony’s gross negligence of failing to install updated versions of web server software.
The group that was responsible for one of the Sony hacks, Lulz, has been merrily posting torrents of data they’ve taken from various sites. Their most recent victim is the US Senate. With all due respect to the skills of the Lulz boat (warning: music), their work is made much easier by the general lack of attention to security by the organizations they’re targeting.