A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | WHID ID | Entry Title | Incident Description | Reference | Date Occurred | Attack Method | Application Weakness | Outcome | Attacked Entity Field | Attacked Entity Geography | Mass Attack | Mass Attack Name | Number of Sites Affected | Attack Source Geography | Attacked System Technology | Cost | Items Leaked | Number of Records | Additional Link |
2 | 1999-1 | WHID 1999-1: eBay downplays security hole | A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use. | http://packetstormsecurity.org/9904-exploits/ebayla.txt | 4-Apr-06 | Cross-site Scripting (XSS) | Improper Output Handling | Session Hijacking | Retail | No | |||||||||
3 | 2000-2 | WHID 2000-2: IKEA exposes customer information on catalog site | Error message revealed a database file location, which could be downloaded. | http://news.com.com/2100-1017-245372.html?legacy=cnet | 9/6/2000 | Unintentional Information Disclosure | Insufficient Authentication | Leakage of Information | Retail | No | |||||||||
4 | 2000-3 | WHID 2000-3: Gaffe at Amazon leaves email addresses exposed | E-mail addresses of other customers displayed by mistake, no hacking was required | http://news.com.com/2100-1017-245387.html?legacy=cnet | 6-Sep-00 | Abuse of Functionality | Application Misconfiguration | Leakage of Information | Retail | USA | No | ||||||||
5 | 2000-4 | WHID 2000-4: Sensitive files left unprotected on Western Union's Web | Sensitive files were left in a publicly accessible directory during a maintenance window | http://news.com.com/2100-1023-245525.html?legacy=cnet | 10-Sep-00 | Unintentional Information Disclosure | Insufficient Authorization | Leakage of Information | Finance | USA | No | ||||||||
6 | 2000-5 | WHID 2000-5: Eve.com exposes customers order information | View other customers orders by changing a sequential number within a URL parameter | http://news.com.com/2100-1017-245700.html?legacy=cnet | 9/13/2000 | Credential/Session Prediction | Insufficient Authorization | Leakage of Information | Retail | No | |||||||||
7 | 2000-6 | WHID 2000-6: Inforeading.com defacement using command injection | Executing local commands using URL parameters | http://www.inforeading.com/library/infoarticles/InfoReading/logs/deface/02.txt | 15-Dec-00 | OS Commanding | Improper Input Handling | Defacement | Entertainment | No | |||||||||
8 | 2001-1 | WHID 2001-1: Travelocity exposes customer information | Sensitive files were left in a publicly accessible directory of a new web server install | http://news.com.com/2100-1017-251344.html?legacy=cnet | 1/22/2001 | Predictable Resource Location | Insufficient Authorization | Disclosure Only | Hospitality | No | |||||||||
9 | 2001-2 | WHID 2001-2: Computer E-Retailer Exposes Credit Card Numbers | View other orders by changing a sequential parameter number. Security was provided by client side JavaScript | http://www.extremetech.com/article2/0,3973,103782,00.asp | 6/18/2001 | Predictable Resource Location | Insufficient Authorization | Disclosure Only | Retail | No | |||||||||
10 | 2001-3 | WHID 2001-3: Persistent XSS in Hotmail | Persistent XSS HTML Injection inside an HTML email message to hotmail | http://www.usatoday.com/tech/news/2001-08-31-hotmail-security.htm | 8/31/2001 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Service Providers | No | |||||||||
11 | 2001-4 | WHID 2001-4: Hacked Web site damaged PCs in Japan | Users who visited the Price Lotto site using Microsoft's IE (Internet Explorer) 4.x and 5.x, automatically downloaded malicious JavaScript that was programmed to alter the software configuration of their PCs. | http://www.computerworld.com.au/article/52716/hacked_web_site_damaged_pcs_japan/ | 8/22/2001 | Cross-site Scripting (XSS) | Improper Output Handling | Planting of Malware | Retail | No | |||||||||
12 | 2001-5 | WHID 2001-5: Privacy hole found in Verizon Wireless Web site | The privacy hole affected users who logged on to the Verizon Wireless Web site and used the My Account feature to view or change their cell phone billing and account information. The Web site address for the feature assigns session identifications sequentially as each user logs in which allows for forceful browsing. | http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.html | 6-Sep-01 | Credential/Session Prediction | Insufficient Authorization | Disclosure Only | Service Providers | No | |||||||||
13 | 2001-6 | WHID 2001-6: XSS at Microsoft Passport | http://www.pcworld.com/news/article/0,aid,69543,00.asp | 11/5/2001 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Service Providers | No | ||||||||||
14 | 2002-1 | WHID 2002-1: Flawed authentication at BN.com exposes personal information | <p>Opening an account with a discontinued e-mail address exposes all the information of the discontinues account </p><p>Additional information:</p> <ul> <li><a href="http://wired-vig.wired.com/news/ebiz/0,1272,53942,00.html">BN.com: The Hole Story</a> [Wired, Jul 19 2002]</li> <li><a href="http://www.marktaw.com/technology/HackingBarnesAndNoble.com.html">BarnesAndNoble.com Security Flaw</a> [Personal Web Page, Jul 9 2002]</li> <li><a href="http://itmanagement.earthweb.com/secu/article.php/3347761">Barnes & Noble.com Fined for Customer Data Leak</a> [Datamation, Apr 30 2004]</li> </ul> | 7/19/2002 | Predictable Resource Location | Insufficient Password Recovery | Leakage of Information | Retail | No | ||||||||||
15 | 2002-2 | WHID 2002-2: Advogato XSS virus account | <p>Additional information:</p> <ul> <li><a href="http://www.bindshell.net/papers/xssv/advogato/">Advogato xss virus account</a> [Bindshell, Sep 21 2002]</li> </ul> | 11-Jul-05 | Cross-site Request Forgery (CSRF) | Improper Output Handling | Worm | Technology | No | ||||||||||
16 | 2002-3 | WHID 2002-3: Reuters accused of hacking | <p>A company put its earnings report on site before its official release, but did not linked to it. Reuters found the document and published it. </p><p>Additional information:</p> <ul> <li><a href="http://news.com.com/2100-1023-963658.html">Reuters accused of hacking</a> [Cnet, Nov 29 2002]</li> </ul> | 11/26/2002 | Unintentional Information Disclosure | Insufficient Authorization | Leakage of Information | Technology | No | ||||||||||
17 | 2002-4 | WHID 2002-4: Tower Records settles charges over hack attacks | <p>View other customers orders by changing a guessable number within a URL parameter </p><p>Additional information:</p> <ul> <li><a href="http://www.securityfocus.com/news/8508">Tower Records settles charges over hack attacks</a> [Security Focus, Apr 21 2004]</li> <li><a href="http://news.com.com/2100-1017-976271.html">Tower Records site exposes data</a> [CNet, Dec 5 2002]</li> </ul> | 4/21/2004 | Predictable Resource Location | Insufficient Authorization | Leakage of Information | Retail | No | ||||||||||
18 | 2003-1 | WHID 2003-1: FTD.com hole leaks personal information | <p>View other customers information by modifying a cookie </p><p>Additional information:</p> <ul> <li><a href="http://news.com.com/2100-1017-984585.html">FTD.com hole leaks personal information</a> [CNet, Feb 13 2003]</li> </ul> | 2/13/2003 | Credential/Session Prediction | Insufficient Authentication | Leakage of Information | Retail | No | ||||||||||
19 | 2003-2 | WHID 2003-2: UT Austin hack yields personal info on thousands | <p>While an old incident, further research into it suggest that it was a web hack. While the initial reports talk about a database break in, a report in the Register identify the database as txClass, which is a web based system.<br />55,200 social security numbers where stolen, though the hacker claimed that he did not perform the act for profit. He was caught and sentenced to 5 years probation. </p><p>Additional information:</p> <ul> <li><a href="https://www.utexas.edu/datatheft/">Data Theft Incident Response</a> [UofT, Sep 7 2005]</li> <li><a href="http://www.theregister.co.uk/2003/03/18/student_owns_up_to_texas/">Student owns up to Texas Uni cyber-heist</a> [The Register, Mar 18 2003]</li> <li><a href="http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79102,00.html">UT Austin hack yields personal info on thousands</a> [Computer World, Mar 6 2003]</li> <li><a href="http://www.securityfocus.com/news/2935">Hackers steal names, Social Security numbers from University of Texas database</a> [Security Focus, Mar 6 2006]</li> </ul> | 4-Apr-06 | Brute Force | Insufficient Anti-automation | Leakage of Information | Education | No | ||||||||||
20 | 2003-3 | WHID 2003-3: User passwords could be stolid in Microsoft's Passport service | <p>Additional information:</p> <ul> <li><a href="http://news.zdnet.co.uk/business/0,39020645,2134469,00.htm">Microsoft faces huge fine over security</a> [Zdnet, May 9 2003]</li> <li><a href="http://www.atnewyork.com/news/article.php/2203651">Microsoft Patches .NET Passport Hole</a> [AnyNetwork, May 8 2003]</li> </ul> | 5/9/2003 | Predictable Resource Location | Insufficient Password Recovery | Disclosure Only | Service Providers | No | ||||||||||
21 | 2003-4 | WHID 2003-4: SQL injection on Guess site triggers an FTC inquiry | <p>Additional information:</p> <ul> <li><a href="http://www.ftc.gov/opa/2003/06/guess.htm">Guess Settles FTC Security Charges</a> [FTC Web Site, Jun 18 2003]</li> </ul> | 6/18/2003 | SQL Injection | Improper Input Handling | Disclosure Only | Retail | No | ||||||||||
22 | 2003-5 | WHID 2003-5: Car shoppers' credit details exposed in bulk | <p>User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page. </p><p>Additional information:</p> <ul> <li><a href="http://www.securityfocus.com/news/7067">Car shoppers' credit details exposed in bulk</a> [Security Focus, Sep 25 2003]</li> </ul> | 9/25/2003 | Predictable Resource Location | Insufficient Authorization | Leakage of Information | Automotive | No | ||||||||||
23 | 2003-6 | WHID 2003-6: Mississippi man blackmails Best Buy | <p>A person convicted of blackmailing Best Buy. He threatened to expose a breach in the company's web site if not paid $2.5 million. </p><p>Additional information:</p> <ul> <li><a href="http://news.zdnet.com/2100-1009_22-5136932.html?tag=nl">Mississippi man denies Best Buy blackmail</a> [ZDnet, Jan 7 2004]</li> <li><a href="http://news.zdnet.com/2100-1009_22-5980008.html">Police blotter: Best Buy 'hacker' loses in court</a> [Zdnet, Dec 2 2005]</li> <li><a href="http://caselaw.lp.findlaw.com/data2/circs/8th/051655p.pdf">Appeals Court's Opinion</a> [, Nov 22 2005]</li> </ul> | 26-Feb-06 | Unknown | Unknown | Extortion | Retail | No | ||||||||||
24 | 2003-7 | WHID 2003-7: Victoria's Secret reveals far too much | <p>View other customers orders by changing a sequential number within a URL parameter </p><p>Additional information:</p> <ul> <li><a href="http://www.cbsnews.com/stories/2003/10/22/tech/main579547.shtml">Victoria's Secret Reveals Too Much</a> [CBS News, Oct 22 2003]</li> <li><a href="http://cooltech.iafrica.com/technews/280300.htm">Victoria's Secret reveals far too much</a> [iAfrica, Oct 24 2003]</li> </ul> | 10/22/2003 | Predictable Resource Location | Insufficient Authorization | Disclosure Only | Retail | No | ||||||||||
25 | 2003-8 | WHID 2003-8: SQL Injection in PetCo.com leads to FTC investigation | <p>Additional information:</p> <ul> <li><a href="http://www.infoworld.com/article/04/11/17/HNpetco_1.html">Petco settles charge it left customer data exposed</a> [Infoeworld, Nov 17 2004]</li> <li><a href="http://www.securityfocus.com/news/9957">Petco settles with FTC over cyber security gaffe</a> [Security Focus, Nov 17 2004]</li> <li><a href="http://www.securityfocus.com/news/7581">FTC investigates PetCo.com security hole</a> [Security Focus, Dec 5 2003]</li> </ul> | 11/17/2004 | SQL Injection | Improper Input Handling | Disclosure Only | Retail | No | ||||||||||
26 | 2003-9 | WHID 2003-9: Defenses lacking at social network sites | <p>Additional information:</p> <ul> <li><a href="http://www.securityfocus.com/news/7739">Defenses lacking at social network sites</a> [Security Focus, Dec 31 2003]</li> </ul> | 12/31/2003 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Web 2.0 | No | ||||||||||
27 | 2004-1 | WHID 2004-1: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - OpenTable | <p>Additional information:</p> <ul> <li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes1.txt">Biggest Web Problem Isn't About Privacy, It's Sloppy Security</a> [Wallstreet Journal (Archive Copy), Jan 26 2004]</li> </ul> | 4-Aug-05 | Credential/Session Prediction | Insufficient Authentication | Leakage of Information | Hospitality | No | ||||||||||
28 | 2004-10 | WHID 2004-10: SQL Injection and XSS on presidential campaign web sites | On Sunday, security analyst Richard Smith did a quick check of the Bush and Kerry campaign sites and found several security problems on each, all of which are common on many other websites. | http://www.wired.com/techbiz/it/news/2004/06/64036 | 6/30/2004 | SQL Injection | Improper Input Handling | Disclosure Only | Politics | No | |||||||||
29 | 2004-11 | WHID 2004-11: Phishers Manipulate SunTrust Site to Steal Data | <p>Phishing based on XSS </p><p>Additional information:</p> <ul> <li><a href="http://news.netcraft.com/archives/2004/09/28/phishers_manipulate_suntrust_site_to_steal_data.html">Phishers Manipulate SunTrust Site to Steal Data</a> [NetCraft, Sep 28 2004]</li> </ul> | 9/28/2004 | Cross-site Scripting (XSS) | Improper Output Handling | Phishing | Finance | USA | No | |||||||||
30 | 2004-12 | WHID 2004-12: XSS in Gmail | <p>An XSS was found in G-Mail </p><p>Additional information:</p> <ul> <li><a href="http://www.theregister.co.uk/2004/10/29/gmail_vuln/">Gmail accounts 'wide open to exploit' - report</a> [The Register, Oct 29 2004]</li> <li><a href="http://net.nana.co.il/Article/?ArticleID=155025&sid=10">NetLife Exclusive: Security hole found in Gmail</a> [Nana NetLife, Oct 27 2004]</li> </ul> | 11-Jul-05 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Hosting Providers | No | ||||||||||
31 | 2004-13 | WHID 2004-13: SunTrust site XSS vulnerability exploited by for phishing | <p>Phishing based on XSS (Same vulnerability but a different attack that the similar September 2004 attack) </p><p>Additional information:</p> <ul> <li><a href="http://www.fool.com/News/mft/2004/mft04120810.htm">Do Online Banks Facilitate Fraud?</a> [The Motley Fool, Dec 8 2004]</li> <li><a href="http://news.netcraft.com/archives/2004/12/06/suntrust_site_exploited_by_fraudsters.html">SunTrust site exploited by fraudsters</a> [NetCraft, Dec 6 2004]</li> </ul> | 8-Nov-05 | Cross-site Scripting (XSS) | Improper Output Handling | Phishing | Finance | No | ||||||||||
32 | 2004-14 | WHID 2004-14: Santy worm defaces websites using PHP bug | <p>Worm used Google to locate sites vulnerable to OS</p> <p>Additional information:</p> <ul> <li><a href="http://news.bbc.co.uk/1/hi/technology/4117711.stm">Santy worm makes unwelcome visit</a> [BBC, Dec 22 2004]</li> <li><a href="http://isc.sans.org/diary.php?date=2004-12-21">Santy worm defaces websites using php bug</a> [Sans Storm Center, Dec 21 2004]</li> </ul> | 22-Dec-04 | OS Commanding | Improper Input Handling | Worm | Multiple | No | Various | phpBB | ||||||||
33 | 2004-15 | WHID 2004-15: New Variant of Santy Worm Spreads | <p>phpBB worm</p> <p>Additional information:</p> <ul> <li><a href="http://www.frsirt.com/exploits/20041225.PhpIncludeWorm.php">PHP Scripts Automated Arbitrary File Inclusion</a> [Vulnerabiliy Publisher's Site, Dec 25 2004]</li> <li><a href="http://www.pcworld.com/news/article/0,aid,119051,pg,1,RSS,RSS,00.asp">New Variant of Santy Worm Spreads</a> [PC World, Dec 27 2004]</li> <li><a href="http://www.computerworld.com/securitytopics/security/holes/story/0,10801,98553,00.html">Santy.E worm poses threat to sites badly coded in PHP </a> [Computer World, Dec 27 2004]</li> </ul> | 25-Dec-04 | OS Commanding | Improper Input Handling | Worm | Multiple | No | phpBB | |||||||||
34 | 2004-16 | WHID 2004-16: Lycos Free Email XSS | <p>An XSS was found in Lycos Web Mail </p><p>Additional information:</p> <ul> <li><a href="http://www.securiteam.com/securitynews/6A00N20C1C.html">Lycos Free Email Cross-Site Scripting Vulnerability</a> [SecriTeam, Dec 27 2004]</li> </ul> | 11-Jul-05 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Hosting Providers | No | ||||||||||
35 | 2004-17 | WHID 2004-17: The CardSystems breach was an SQL Injection hack (Updated) | <p><em><strong>Update (May 27th 2009)</strong></em> - The CardSystems incident is refusing to die. Merrick Back is now <a href="http://www.courthousenews.com/2009/05/26/Merrick.pdf">suing Savvis</a> for certifying CardSystems as CISP compliant while it systems where wide open. CISP is a VISA program for certifying credit card processing systems which existed prior to PCI DSS.</p> <p>The actual damage to an organization of an attack is rarely disclosed, and coverage focuses on the Number_of_Records stolen. In the court documents Merrick reveals that its own damage from the CardSystems incident was $16,000,000! The money was paid to card holders to compensate for losses and for legal fees and fines.</p> <p>The case is also interesting as it put to test the liability of the certifying entity (in this case Savvis) resulting from assessing. The results may have profound influence on the PCI QSA market and therefore PCI itself. David Navetta posts an <a href="http://infoseccompliance.com/2009/06/03/merrick-bank-v-savvis-analysis-of-the-merrick-bank-complaint/">excellent legal analysis</a> of the potential implications of the lawsuit.</p> <hr /> <p>This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.</p> <p>But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.</p> <p>Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.</p> <p>This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.</p> <p>Additional information:</p> <ul> <li><a href="http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1180411,00.html">Cleaning up after a hack job: CardSystems' Christensen</a> [Information Security (mirror), Apr 14 2006]</li> <li><a href="http://www.ftc.gov/os/caselist/0523148/0523148complaint.pdf">FTC complain In the Matter of CardSystems Solutions</a> [FTC, ]</li> <li><a href="http://wiki.midrange.com/index.php/CardSystems">Midrange CardSystems Wiki</a> [Midrange, ]</li> <li><a href="http://www.webappsec.org/lists/websecurity/archive/2006-04/msg00051.html">CardSystems was a Web Application Hack</a> [Cesar Cerrudo, <a href="http://www.argeniss.com">Argeniss</a>, Apr 18 2006]</li> <li><a href="http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html">CardSystems Exposes 40 Million Identities</a> [Bruce Schneier, Jun 23 2005]</li> </ul> | 20-Apr-06 | SQL Injection | Improper Input Handling | Credit Card Leakage | Finance | No | Credit Card Number | 40,000,000 | ||||||||
36 | 2004-18 | WHID 2004-18: Security flaw exposed in Cahoot bank accounts | <p>Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered. </p><p><br />The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed. </p><p><br />We somehow missed this story so it finds its way to WHID only now in late 2007. </p><p>Additional information:</p> <ul> <li><a href="http://software.silicon.com/security/0,39024655,39125639,00.htm">Security flaw exposed in Cahoot bank accounts</a> [Silicon.com, Oct 5 2004]</li> <li><a href="http://software.silicon.com/security/0,39024655,39125665,00.htm">Leader: Not another security scare</a> [Silicon.com, Oct 5 2004]</li> <li><a href="http://news.bbc.co.uk/2/hi/business/3984845.stm">Cahoot hit by web security scare</a> [BBC, Oct 5 2004]</li> </ul> | 25-Oct-07 | Predictable Resource Location | Insufficient Authentication | Disclosure Only | Finance | No | ||||||||||
37 | 2004-2 | WHID 2004-2: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - Saks | <p>Additional information:</p> <ul> <li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes1.txt">Biggest Web Problem Isn't About Privacy, It's Sloppy Security</a> [Wallstreet Journal (Archive Copy), Jan 26 2004]</li> </ul> | http://www.cs.umass.edu/~kevinfu/news/wsj-gomes1.txt | 4-Aug-05 | Predictable Resource Location | Insufficient Authorization | Leakage of Information | Retail | No | |||||||||
38 | 2004-3 | WHID 2004-3: More Scary Tales Involving Big Holes In Web-Site Security - Iomega | <p>Additional information:</p> <ul> <li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li> </ul> | 4-Aug-05 | Predictable Resource Location | Insufficient Authorization | Leakage of Information | Retail | No | ||||||||||
39 | 2004-4 | WHID 2004-4: More Scary Tales Involving Big Holes In Web-Site Security - Kohl's | <p>Additional information:</p> <ul> <li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li> </ul> | 4-Aug-05 | Predictable Resource Location | Insufficient Authorization | Leakage of Information | Retail | No | ||||||||||
40 | 2004-5 | WHID 2004-5: More Scary Tales Involving Big Holes In Web-Site Security - Gateway | <p>Additional information:</p> <ul> <li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li> </ul> | 4-Aug-05 | Credential/Session Prediction | Insufficient Authentication | Leakage of Information | Technology | No | ||||||||||
41 | 2004-6 | WHID 2004-6: More Scary Tales Involving Big Holes In Web-Site Security - Tiffany | <p>Additional information:</p> <ul> <li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li> </ul> | http://www.cs.umass.edu/~kevinfu/news/wsj-gomes2.txt | 4-Aug-05 | SQL Injection | Improper Input Handling | Leakage of Information | Retail | No | |||||||||
42 | 2004-7 | WHID 2004-7: More Scary Tales Involving Big Holes In Web-Site Security - University Sub Service | <p>Additional information:</p> <ul> <li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li> </ul> | http://www.cs.umass.edu/~kevinfu/news/wsj-gomes2.txt | 4-Aug-05 | Predictable Resource Location | Insufficient Authorization | Leakage of Information | Education | No | |||||||||
43 | 2004-8 | WHID 2004-8: Broadcast TV announcements changed by hacking the stations web site | <p>Previously moderated weather announcements could be changed by the user </p><p>Additional information:</p> <ul> <li><a href="http://www.securityfocus.com/news/8191">Pranksters bedevil TV weather announcment system</a> [Security Focus, Mar 4 2004]</li> </ul> | 3/4/2004 | Abuse of Functionality | Insufficient Process Validation | Disinformation | Media | No | ||||||||||
44 | 2004-9 | WHID 2004-9: Billing and personal information leakage due to lack of authentication on a phone company web site | <p>A billing information system required only phone number and zip code to pull up account details </p><p>Additional information:</p> <ul> <li><a href="http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci969836,00.html">A security tale: From vulnerability discovery to disaster</a> [Search Security, Jun 14 2004]</li> </ul> | 6/14/2004 | Predictable Resource Location | Insufficient Authentication | Leakage of Information | Service Providers | No | ||||||||||
45 | 2005-1 | WHID 2005-1: Gmail Bug Exposes E-mails messages of other users | <p>Parameter tampering enabled exposing sensitive information in G-Mail </p><p>Additional information:</p> <ul> <li><a href="http://www.betanews.com/article/Gmail_Bug_Exposes_Emails_to_Hackers/1105561408">Gmail Bug Exposes E-mails to Hackers</a> [Beta News, Jan 12 2005]</li> <li><a href="http://it.slashdot.org/article.pl?sid=05/01/12/1655246&tid=172&tid=215&tid=217&tid=218">Gmail Messages Are Vulnerable To Interception</a> [Slash.Dot, Jan 12 2005]</li> </ul> | 11-Jul-05 | Predictable Resource Location | Improper Input Handling | Disclosure Only | Hosting Providers | No | ||||||||||
46 | 2005-10 | WHID 2005-10: Indian SATs results leaking | <p>Additional information:</p> <ul> <li><a href="http://blogs.law.harvard.edu/philg/comments?u=philg&p=7726&link=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F2005%2F03%2F08%23a7726#a7777">Indian SATs results leaking</a> [Blog talkback, Mar 10 2005]</li> </ul> | 8-Nov-05 | Unintentional Information Disclosure | Insufficient Authentication | Disclosure Only | Education | No | ||||||||||
47 | 2005-11 | WHID 2005-11: Samy XSS Worm Hits MySpace | <p>The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.</p> <p>Additional information:</p> <ul> <li><a href="http://ha.ckers.org/blog/20070310/my-lunch-with-samy/">My Lunch With Samy</a> [ha.ckers, Mar 10 2007]</li> <li><a href="http://fast.info/myspace/">MySpace XSS worm writer notes</a> [bindshell, Apr 10 2005]</li> <li><a href="http://www.bindshell.net/papers/xssv/myspace/code/">MySpace XSS worm source</a> [bindshell, Apr 10 2005]</li> <li><a href="http://namb.la/popular/tech.html">MySpace XSS virus development</a> [bindshell, Apr 10 2005]</li> <li><a href="http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391">Cross-Site Scripting Worm Hits MySpace</a> [Beta News, Apr 10 2005]</li> </ul> | 8-Nov-05 | Cross-site Scripting (XSS) | Improper Output Handling | Worm | Web 2.0 | No | ||||||||||
48 | 2005-12 | WHID 2005-12: Insufficient authentication on Arbela mutual insurance allowed access to private data | <p>Extranet system accessible to the public </p><p>Additional information:</p> <ul> <li><a href="http://www.boston.com/business/technology/articles/2005/05/05/insurers_website_error_reveals_data_on_drivers/?rss_id=Boston+Globe+">Insurer's website breach reveals data on drivers</a> [The Boston Globe, May 5 2005]</li> </ul> | 5/5/2005 | Unintentional Information Disclosure | Insufficient Authentication | Disclosure Only | Retail | No | ||||||||||
49 | 2005-13 | WHID 2005-13: Hacker attacked weak point on Kakaku.com's Web Site | <p>Additional information:</p> <ul> <li><a href="http://seclists.org/lists/isn/2005/May/0041.html">Web sites get costly lesson in security</a> [Asahi (Japan), May 18 2005]</li> <li><a href="http://www.cdrinfo.com/forum/tm.asp?m=110616&mpage=1𛀘">Hacker attacked weak point on Kakaku.com's Web Site</a> [Asahi (Japan), May 25 2005]</li> </ul> | 5/25/2005 | SQL Injection | Improper Input Handling | Downtime | Retail | No | ||||||||||
50 | 2005-14 | WHID 2005-14: XSS on Microsoft Xbox site allowed phishing | <p>Additional information:</p> <ul> <li><a href="http://news.com.com/Microsoft+plugs+phishing+hole+in+Xbox+site/2100-1029_3-5720241.html?tag=nl">Microsoft plugs phishing hole in Xbox site</a> [news.com, May 25 2005]</li> </ul> | 8-Nov-05 | Cross-site Scripting (XSS) | Improper Output Handling | Phishing | Entertainment | No | ||||||||||
51 | 2005-15 | WHID 2005-15: Unprotected information on the University of Chicago web site | <p>Files containing sensitive information left unprotected on the web server </p><p>Additional information:</p> <ul> <li><a href="http://incidentresponse.uchicago.edu/">University of Chicago</a> [Victim's Site, May 30 2005]</li> <li><a href="http://maroon.uchicago.edu/news/articles/2005/05/27/private_records_disc.php">Private records discovered on server</a> [Chicago Maroon, May 27 2005]</li> </ul> | 5/30/2005 | Unintentional Information Disclosure | Insufficient Authentication | Leakage of Information | Education | No | ||||||||||
52 | 2005-16 | WHID 2005-16: MSN site hacked in South Korea | <p>The web site was modified to include password stealing code </p><p>Additional information:</p> <ul> <li><a href="http://www.usatoday.com/tech/news/2005-06-02-hacked_x.htm">Microsoft admits MSN site hacked in South Korea</a> [USA Today, Jun 2 2005]</li> <li><a href="http://abcnews.go.com/Technology/wireStory?id=817338">MSN Site Hacking Went Undetected for Days</a> [ABC News, Jun 3 2005]</li> </ul> | 6/2/2005 | Unknown | Unknown | Session Hijacking | Search Engines | No | ||||||||||
53 | 2005-17 | WHID 2005-17: Leakage of information due to XSS in Hotmail | <p>Additional information:</p> <ul> <li><a href="http://www.vnunet.com/vnunet/news/2137707/hotmail-hack-fixed">Microsoft fixes Hotmail hack</a> [VUnet, Jun 9 2005]</li> <li><a href="http://www.theregister.co.uk/2005/06/08/hotmail_hack/">Hotmail users exposed to cookie snaffling exploit</a> [The Registrer, Jun 8 2005]</li> <li><a href="http://www.pcmag.com/article2/0,1759,1825250,00.asp">MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes</a> [PC Magazine, Jun 7 2005]</li> <li><a href="http://news.com.com/MSN+flaw+put+Hotmail+accounts+at+risk/2100-1002_3-5734448.html?part=rss&tag=5734448&subj=news">MSN flaw put Hotmail accounts at risk</a> [CNet, Jun 6 2005]</li> <li><a href="http://www.net-force.nl/files/articles/hotmail_xss/">Hacking hotmail, by Alex de Vries</a> [Personal Web Page, Jun 4 2005]</li> </ul> | 6/9/2005 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Hosting Providers | No | ||||||||||
54 | 2005-18 | WHID 2005-18: Hacker hits Duke system | <p>Additional information:</p> <ul> <li><a href="http://seclists.org/lists/isn/2005/Jun/0005.html">Hacker hits Duke system</a> [The News Observer, Jun 5 2005]</li> </ul> | 6/27/2005 | Unknown | Unknown | Leakage of Information | Education | No | ||||||||||
55 | 2005-19 | WHID 2005-19: Privacy Fears due to insufficient authentication on CVS drugstore chain web site | <p>Additional information:</p> <ul> <li><a href="http://www.computerworld.com/securitytopics/security/story/0,10801,102773,00.html">Privacy Fears Prompt CVS To Turn Off Online Service </a> [Computer World, Jun 27 2005]</li> </ul> | 6/7/2005 | Credential/Session Prediction | Insufficient Authorization | Disclosure Only | Retail | No | ||||||||||
56 | 2005-2 | WHID 2005-2: Froogle XSS | <p>An XSS was found in Froogle </p><p>Additional information:</p> <ul> <li><a href="http://www.theregister.co.uk/2005/01/17/google_security_bugs/">Google plugs brace of GMail security flaws</a> [The Register, Jan 14 2005]</li> <li><a href="http://www.eweek.com/article2/0,1759,1751689,00.asp">Google Plugs Cookie-Theft Data Leak</a> [eWeek, Jan 14 2005]</li> <li><a href="http://packetstormsecurity.nl/0501-exploits/froogleCookie.txt">Froogle XSS</a> [Packet Storm, ]</li> </ul> | 11-Jul-05 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Search Engines | No | ||||||||||
57 | 2005-20 | WHID 2005-20: Security gaps found in EPA contracting system | <p>An audit of a major Environmental Protection Agency contract management system uncovered significant security lapses that, if exploited by hackers, could have serious consequences for the agency's operations, assets and personnel. The audit focused on lack of monitoring for known vulnerabilities on these systems. </p><p>Additional information:</p> <ul> <li><a href="http://www.govexec.com/dailyfed/0206/020306p1.htm"> Security gaps found in EPA contracting system</a> [GovExec, Feb 3 2006]</li> <li><a href="http://www.epa.gov/oig/reports/2006/20060131-2006-P-00010.pdf">Information Security Series: Security Practices - Integrated Contract Management System</a> [EPA, Jan 31 2006]</li> </ul> | 26-Feb-06 | Known Vulnerability | Application Misconfiguration | Disclosure Only | Government | No | ||||||||||
58 | 2005-21 | WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data | A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system. | 4/20/2006 | SQL Injection | Improper Input Handling | Disclosure Only | Education | No | ||||||||||
59 | 2005-22 | WHID 2005-22: MS UK defaced in hacking attack | <p>Microsoft UK site defaced due to server misconfiguration </p><p>Additional information:</p> <ul> <li><a href="http://www.theregister.co.uk/2005/07/06/msuk_hacked/">MS UK defaced in hacking attack</a> [The Register, Jul 6 2005]</li> <li><a href="http://www.zone-h.org/index2.php?option=com_mirrorwrp&Itemid=43&id=2531794">MS UK Zone-H defacements archive</a> [Zone-H, Jul 6 2005]</li> </ul> | 11-Jul-05 | Misconfiguration | Application Misconfiguration | Defacement | Technology | No | ||||||||||
60 | 2005-23 | WHID 2005-23: Chinese hacker held in Web data theft | <p>The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition. </p><p>Additional information:</p> <ul> <li><a href="http://www.contentguarder.com/news/web-content-news-0009.htm">Chinese hacker held in Web data theft</a> [Asahi Shimbun, Jul 7 2005]</li> </ul> | http://www.contentguarder.com/news/web-content-news-0009.htm | 11-Jul-05 | SQL Injection | Improper Input Handling | Leakage of Information | Hospitality | No | |||||||||
61 | 2005-24 | WHID 2005-24: Firefox marketing site hacked | <p>Additional information:</p> <ul> <li><a href="http://news.zdnet.com/2100-1009_22-5790030.html">Firefox marketing site hacked</a> [Zdnet, Jul 15 2005]</li> <li><a href="http://news.com.com/Firefox+marketing+site+hacked/2100-7349_3-5790030.html?part=rss&tag=5790030&subj=news">Firefox marketing site hacked</a> [C-Net, Jul 15 2005]</li> <li><a href="http://arstechnica.com/news.ars/post/20050715-5101.html">Promotional firefox community site hacked</a> [ars technica, Jul 15 2005]</li> <li><a href="http://www.eweek.com/article2/0,1759,1837657,00.asp?kc=EWRSS03119TX1K0000594">SpreadFirefox Site Hacked, Data Leaked</a> [eWeek, Jul 15 2005]</li> <li><a href="http://www.spreadfirefox.com/node/16836">Spread Firefox Downtime</a> [Spread Firefox, Jul 15 2005]</li> <li><a href="http://www.networkworld.com/news/2005/071505-mozilla-hack.html?fsrc=rss-security">Mozilla marketing site hacked</a> [Network World, Jul 15 2005]</li> </ul> | 15-Jul-05 | Unknown | Unknown | Leakage of Information | Technology | No | ||||||||||
62 | 2005-25 | WHID 2005-25: No Charges Filed Yet Against South Charlotte Computer Hacker | <p>A man hacked into a competing web site </p><p>Additional information:</p> <ul> <li><a href="http://www.wsoctv.com/news/4773654/detail.html">No Charges Filed Yet Against South Charlotte Computer Hacker</a> [WSOC-TV, Jul 26 2005]</li> </ul> | 31-Jul-05 | Unknown | Unknown | Leakage of Information | Education | No | ||||||||||
63 | 2005-26 | WHID 2005-26: NISCC reveals SAP R/3 security flaw | <p>Additional information:</p> <ul> <li><a href="http://www.computerweekly.com/Home/Articles/2005/07/28/211124/NISCCrevealsSAPR3securityflaw.htm">NISCC reveals SAP R/3 security flaw</a> [Computer Weekly, Jul 28 2005]</li> </ul> | http://www.computerweekly.com/Articles/2005/07/28/211124/NISCC-reveals-SAP-R3-security-flaw.htm | 31-Jul-05 | Path Traversal | Improper Input Handling | Disclosure Only | Technology | No | |||||||||
64 | 2005-27 | WHID 2005-27: Phishers hack eBay | <p>A bug in an eBay site allowed Phishers to redirect users to their own servers after feeling details at the genuine eBay site </p><p>Additional information:</p> <ul> <li><a href="http://www.macworld.com/news/2005/08/02/phishers/index.php?lsrc=mwrss">Phishers hack eBay</a> [MacWorld, Aug 2 2005]</li> </ul> | 8-Aug-05 | Redirection | Improper Input Handling | Phishing | Retail | No | ||||||||||
65 | 2005-28 | WHID 2005-28: Phishers Steal Trust from eBay Sign In Pages | Phishers Steal Trust from eBay Sign In Pages | http://news.netcraft.com/archives/2005/07/29/phishers_steal_trust_from_ebay_sign_in_pages.html | 6-Sep-00 | Redirection | Improper Input Handling | Phishing | Retail | Campbell, CA | No | ||||||||
66 | 2005-29 | WHID 2005-29: Security issues in interactive hotel TVs | <p>While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society </p><p>Additional information:</p> <ul> <li><a href="http://www.wired.com/news/privacy/0,1848,68370,00.html">A Hacker Games the Hotel </a> [Wired, Jul 30 2005]</li> </ul> | 31-Jul-05 | Credential/Session Prediction | Insufficient Authentication | Disclosure Only | Hospitality | No | ||||||||||
67 | 2005-3 | WHID 2005-3: Misconfiguration issues in paid wireless access and billing applications | <p>Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords </p><p>Additional information:</p> <ul> <li><a href="http://www.thinkcomputer.com/corporate/news/pressreleases.html?id=17">Think Discovers Critical Flaws in U.S. Transportation Security</a> [Vulnerabiliy Publisher's Site, Feb 1 2005]</li> </ul> | 2/1/2005 | Unintentional Information Disclosure | Directory Indexing | Leakage of Information | Service Providers | No | ||||||||||
68 | 2005-30 | WHID 2005-30: Blogger Developers Network Blog Cracked | <p>Official answer from Blogger was that this was not the result of a hack attempt but of a subtle bug that occurred because our Developer's Network blog is a special case [it's got two names, 'code.blogger.com' and 'code.blogspot.com']. </p><p>Additional information:</p> <ul> <li><a href="http://google-blog.dirson.com/post.new/0272/">Blogger Developers Network Blog Cracked</a> [, Jul 31 2005]</li> </ul> | 4-Aug-05 | Administration Error | Application Misconfiguration | Defacement | Blogs | No | ||||||||||
69 | 2005-31 | WHID 2005-31: Hacker forced new planet discovery out of the closet | <p>Additional information:</p> <ul> <li><a href="http://www.theinquirer.net/?article=25031">Hacker forced new planet discovery out of the closet </a> [The Inquierer, Aug 1 2005]</li> </ul> | 4-Aug-05 | Unknown | Unknown | Extortion | Education | No | ||||||||||
70 | 2005-32 | WHID 2005-32: Weak password recovery on Citrix's site | <p>Weak password recovery procedure at Citrix </p><p>Additional information:</p> <ul> <li><a href="http://www.securityfocus.com/archive/107/407243/30/0/threaded">Example of the worst passwd recovery interface</a> [WebAppSec mailing list, Aug 3 2005]</li> </ul> | 8-Aug-05 | Unintentional Information Disclosure | Insufficient Password Recovery | Disclosure Only | Service Providers | No | ||||||||||
71 | 2005-33 | WHID 2005-33: Insufficient authorization on Verizon's MyAccount feature | <p>A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle </p><p>Additional information:</p> <ul> <li><a href="http://www.washingtonpost.com/wp-dyn/content/article/2005/08/11/AR2005081102122.html">Glitch on Verizon Wireless Web Site Left Data at Risk</a> [Washington Post, Aug 12 2005]</li> </ul> | 22-Aug-05 | Credential/Session Prediction | Insufficient Authorization | Disclosure Only | Service Providers | No | ||||||||||
72 | 2005-34 | WHID 2005-34: Man logs into dabs.com misc customer account | <p>Additional information:</p> <ul> <li><a href="http://www.channelregister.co.uk/2005/08/18/dabs_password_misdirected/">Man logs into dabs.com customer account shocker</a> [channel register, Aug 18 2005]</li> </ul> | 22-Aug-05 | Abuse of Functionality | Insufficient Password Recovery | Leakage of Information | Retail | No | ||||||||||
73 | 2005-35 | WHID 2005-35: Stanford University web sites defaced using XMLRPC bug | <p>Sites where defaced by utilizing an issue in an XMLRPC library used by PHP </p><p>Additional information:</p> <ul> <li><a href="http://www.zone-h.org/en/news/read/id=205962/">Brazilian defacers hack hundreds of Stanford University web sites</a> [Zone-H, Aug 21 2005]</li> </ul> | 23-Aug-05 | OS Commanding | Improper Input Handling | Defacement | Education | No | ||||||||||
74 | 2005-36 | WHID 2005-36: Predictable delay in an online poker game enabled users to beat the casino | <p>A player of an online game discovered that considerable delay hinted on the cards the dealer holds. </p><p>Additional information:</p> <ul> <li><a href="http://haacked.com/archive/2005/08/29/9748.aspx">Online Games Are Written By Humans</a> [Personal , Aug 29 2005]</li> </ul> | 4-Sep-05 | Unintentional Information Disclosure | Abuse of Functionality | Monetary Loss | Entertainment | No | ||||||||||
75 | 2005-37 | WHID 2005-37: A 12 years old hacked an online game and stole game items | <p>A 12 years old guess login information of a woman and abused her account, stealing game items from her. </p><p>Additional information:</p> <ul> <li><a href="http://www.buslab.org/index.php/content/view/22317/2/">Boy, 12, referred to child guidance center for hacking into online game site</a> [Manchini Daily News, Sep 7 2005]</li> </ul> | 12-Sep-05 | Brute Force | Insufficient Anti-automation | Information Warfare | Entertainment | No | ||||||||||
76 | 2005-38 | WHID 2005-38: Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers | <p>Teen convicted of threatening an ISP with DOS attack, among other computer hacking activities </p><p>Additional information:</p> <ul> <li><a href="http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/09-08-2005/0004103380&EDATE=">Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers </a> [Press Release, Sep 8 2005]</li> </ul> | 12-Sep-05 | Denial of Service | Insufficient Anti-automation | Extortion | Service Providers | No | ||||||||||
77 | 2005-39 | WHID 2005-39: Promotional Firefox community site hacked (again) | <p>Exploited unpatched Twiki </p><p>Additional information:</p> <ul> <li><a href="http://arstechnica.com/news.ars/post/20051004-5383.html">Promotional Firefox community site hacked (again)</a> [ARStechnica, Oct 4 2005]</li> <li><a href="http://www.net-security.org/article.php?id=836">SpreadFirefox.com Community Website Hacked Once Again</a> [ARStechnica, Oct 4 2005]</li> </ul> | 8-Nov-05 | OS Commanding | Improper Input Handling | Leakage of Information | Technology | No | ||||||||||
78 | 2005-4 | WHID 2005-4: An Israeli debate site vulnerable to XSS | <p>An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies. </p><p>Additional information:</p> <ul> <li><a href="http://www.nrg.co.il/online/10/ART1/049/017.html">Identity theft in Hyde Park</a> [nrg.co.il, Feb 16 2005]</li> </ul> | 2/16/2005 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Politics | No | ||||||||||
79 | 2005-40 | WHID 2005-40: Defacement of several Novell websites | <p>Script upload due to a scoop known vulnerability </p><p>Additional information:</p> <ul> <li><a href="http://lists.suse.com/archive/suse-security-announce/2005-Oct/0001.html">Defacement of several Novell websites</a> [Mailing list post, Oct 4 2005]</li> </ul> | 8-Nov-05 | Administration Error | Application Misconfiguration | Defacement | Technology | No | ||||||||||
80 | 2005-41 | WHID 2005-41: XSS on Google's AdWords enables phishing | <p>Additional information:</p> <ul> <li><a href="http://news.com.com/Google+fixes+Web+site+security+bug/2100-1002_3-5892525.html?part=rss&tag=5892525&subj=news">Google fixes Web site security bug</a> [News.com, Oct 10 2005]</li> </ul> | 10-Nov-05 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Search Engines | No | ||||||||||
81 | 2005-42 | WHID 2005-42: Default password in a common application used by schools | <p>The software has a default password for teachers, enabling anyone to access the system with teachers privileges. </p><p>Additional information:</p> <ul> <li><a href="http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/10/21/SNAFU.TMP"> Software glitch reveals private data for thousands of state's students<br /> S.F. administrators close program to update passwords</a> [Sfgate, Oct 21 2005]</li> </ul> | 10-Nov-05 | Administration Error | Insufficient Authentication | Leakage of Information | Education | No | ||||||||||
82 | 2005-43 | WHID 2005-43: XSS in Yahoo's Web mail enables phishing | <p>XSS in Yahoo mail, Allows phishing </p><p>Additional information:</p> <ul> <li><a href="http://news.com.com/Yahoo+fixes+Web+mail+security+flaw/2100-1002_3-5907383.html">Yahoo fixes Web mail security flaw</a> [News.com, Oct 21 2005]</li> </ul> | 10-Nov-05 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Hosting Providers | No | ||||||||||
83 | 2005-44 | WHID 2005-44: Xoops web site hacked | <p>Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given. </p><p>Additional information:</p> <ul> <li><a href="http://www.xoops.org/modules/news/article.php?storyid=2639">Xoops web site hacked</a> [Vendor Web Site, Oct 28 2005]</li> </ul> | 8-Nov-05 | Administration Error | Application Misconfiguration | Leakage of Information | Technology | No | ||||||||||
84 | 2005-46 | WHID 2005-46: Teen uses SQL injection to break to a security magazine web site | <p>A high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customer's information. </p><p>Additional information:</p> <ul> <li><a href="http://www.taipeitimes.com/News/front/archives/2006/01/22/2003290158">Teenage hacker facing court case for data theft</a> [Taipe Times, Jan 22 2006]</li> </ul> | http://www.taipeitimes.com/News/front/archives/2006/01/22/2003290158 | 26-Feb-06 | SQL Injection | Improper Input Handling | Leakage of Information | Media | No | |||||||||
85 | 2005-47 | WHID 2005-47: SEC Vs. The Estonian Spiders | <p>Business wire allowed access to non published press releases. </p><p>Additional information:</p> <ul> <li><a href="http://www.webpronews.com/topnews/topnews/wpn-60-20051102SECVsTheEstonianSpiders.html">SEC Vs. The Estonian Spiders</a> [Web Pro News, Nov 2 2005]</li> </ul> | 8-Nov-05 | Process Automation | Insufficient Anti-automation | Leakage of Information | Finance | No | ||||||||||
86 | 2005-48 | WHID 2005-48: Insufficient authorization on Papa John's Pizza chain web site | <p>Additional information:</p> <ul> <li><a href="http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0156.html">Zero Day Pizza Party - Yo Noid Advisory #00001</a> ["Full Disclosure" Mailing List, Nov 7 2005]</li> <li><a href="http://news.com.com/Pizza+chain+caught+without+fully+baked+security/2100-7349_3-5938572.html">Pizza chain caught without fully baked security</a> [Cnet, Nov 7 2005]</li> </ul> | 10-Nov-05 | Predictable Resource Location | Insufficient Authorization | Leakage of Information | Retail | No | ||||||||||
87 | 2005-49 | WHID 2005-49: Google Base launched with security hole | <p>XSS in Google Base search function </p><p>Additional information:</p> <ul> <li><a href="http://www.pcworld.idg.com.au/index.php/id;751088708;fp;2;fpid;1">Google Base launched with security hole</a> [PC World, Nov 21 2005]</li> <li><a href="http://jibbering.com/blog/?p=189">More Google security failures</a> [Jibbering.com, Nov 16 2005]</li> </ul> | 28-Feb-06 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Search Engine | No | ||||||||||
88 | 2005-5 | WHID 2005-5: Paris Hilton's T-Mobile online account hacked | <p>Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic </p><p>Additional information:</p> <ul> <li><a href="http://www.washingtonpost.com/wp-dyn/content/article/2005/05/19/AR2005051900711.html">Paris Hilton Hack Started With Old-Fashioned Con</a> [Washington Post, May 19 2005]</li> <li><a href="http://www.pcworld.com/news/article/0,aid,119851,00.asp">Paris Hilton: Victim of T-Mobile's Web Flaws?</a> [PCWorld, Mar 1 2005]</li> <li><a href="http://www.wired.com/news/privacy/0,1848,66735,00.html">Known Hole Aided T-Mobile Breach</a> [Wired.com, Feb 28 2005]</li> <li><a href="http://www.macdevcenter.com/pub/a/mac/2005/01/01/paris.html">How Paris Got Hacked?</a> [O'Reilly Network, Feb 22 2005]</li> </ul> | 11-Jul-05 | Abuse of Functionality | Insufficient Password Recovery | Leakage of Information | Technology | No | ||||||||||
89 | 2005-50 | WHID 2005-50: XSS on Yahoo Mail | <p>Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud. </p><p>Additional information:</p> <ul> <li><a href="http://archives.neohapsis.com/archives/bugtraq/2005-11/0289.html">XSS on Yahoo Mail</a> [Bugtraq, Nov 23 2005]</li> <li><a href="http://richard.computeiro.com/yahoo_bug.jpg">XSS on Yahoo Mail</a> [Bugtraq, Nov 23 2005]</li> </ul> | 28-Feb-06 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Hosting Providers | No | ||||||||||
90 | 2005-51 | WHID 2005-51: Critical MySpace Vulnerabilities Leave Every Active Account Exploitable | <p>An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him. </p><p>Additional information:</p> <ul> <li><a href="http://www.silent-products.com/advisory12.5.05.txt">Critical Myspace Vulnerabilities Leave Every Active Account Exploitable</a> [Silent Productions, Dec 5 2005]</li> </ul> | 28-Feb-06 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Web 2.0 | No | ||||||||||
91 | 2005-53 | WHID 2005-53: Charity Web Site Hacked | <p>A UK Church charity web site was hacked and at least 3000 credit card numbers where stolen. Credit card information is known to have been used by the hackers. While no specific details are given, the article indicates that the way site was hacked. </p><p>Additional information:</p> <ul> <li><a href="http://software.silicon.com/malware/0,3800003100,39154991,00.htm">Police investigate charity credit card data hack</a> [Silicon.com, Dec 12 2005]</li> </ul> | 26-Feb-06 | Unknown | Unknown | Credit Card Leakage | Religious | No | ||||||||||
92 | 2005-54 | WHID 2005-54: XSS vulnerability in NIST web site | <p>Netcraft discovered an XSS vulnerability in NIST web site, which ironically hosts the U.S. National Vulnerability Database. </p><p>Additional information:</p> <ul> <li><a href="http://news.netcraft.com/archives/2005/12/14/us_government_security_site_vulnerable_to_common_attack.html">US Government Security Site Vulnerable to Common Attack</a> [NetCraft, Dec 14 2005]</li> </ul> | 26-Feb-06 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Government | No | ||||||||||
93 | 2005-55 | WHID 2005-55: Yahoo RSS XSS Vulnerability | <p>A malicious site can offer users a malformed RSS XML file to be included Yahoo RSS aggregation that would enable stealing Yahoo cookies </p><p>Additional information:</p> <ul> <li><a href="http://www.alljer.com/yahoorssxss.htm">Yahoo RSS XSS Vulnerability</a> [alljer.com, Dec 18 2005]</li> </ul> | 28-Feb-06 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Search Engine | No | ||||||||||
94 | 2005-56 | WHID 2005-56: XSS vulnerabilities in Google.com | <p>A redirection to an error page on Google.com includes values sent by the the user. This vulnerability allows phishers to send an e-mail with links to Google that will include their attack page. </p><p>Additional information:</p> <ul> <li><a href="http://www.webappsec.org/lists/websecurity/archive/2005-12/msg00059.html">XSS vulnerabilities in Google.com</a> [Watchfire, Dec 21 2005]</li> <li><a href="http://www.betanews.com/article/Google_CrossSite_Scripting_Flaw_Fixed/1135201187">Google Cross-Site Scripting Flaw Fixed</a> [Beta News, Dec 21 2005]</li> <li><a href="http://news.com.com/Google+plugs+obscure+phishing+holes/2100-1002_3-6004471.html">Google plugs 'obscure' phishing holes</a> [CNet, Dec 21 2005]</li> <li><a href="http://shiflett.org/archive/178">Google XSS Example</a> [Chris Shiflett, Dec 21 2005]</li> <li><a href="http://shiflett.org/archive/177">Google's XSS Vulnerability</a> [Chris Shiflett, Dec 21 2005]</li> </ul> | 28-Feb-06 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Search Engine | No | ||||||||||
95 | 2005-57 | WHID 2005-57: RPG site bit by hackers | <p>User data stolen from an online game web site. The hacker tried to extort RPG by threatening to publish the users' data. The news item states that the hack was a result of a flaw in custom web site software. </p><p>Additional information:</p> <ul> <li><a href="http://www.scmagazine.com/uk/news/article/533573/rpg-site-bit-hackers/">RPG site bit by hackers</a> [SC Mazagine, Dec 21 2005]</li> </ul> | 26-Feb-06 | Unknown | Unknown | Extortion | Entertainment | No | ||||||||||
96 | 2005-58 | WHID 2005-58: Yahoo mail Cross Site Scripting | <p>An attacker can send an e-mail with a malicious script to a victim which is perform its actions immediately when the e-mail is read. </p><p>Additional information:</p> <ul> <li><a href="http://www.morx.org/yahoo-XSS.txt">Yahoo mail Cross Site Scripting</a> [Morx, Dec 22 2005]</li> </ul> | 28-Feb-06 | Cross-site Scripting (XSS) | Improper Output Handling | Disclosure Only | Service Providers | No | ||||||||||
97 | 2005-59 | WHID 2005-59: Vote Someone Else's Shares | <p>Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others. </p><p>Additional information:</p> <ul> <li><a href="http://www.schneier.com/blog/archives/2005/11/vote_someone_el.html">Vote Someone Else's Shares</a> [Bruce Schneier, Nov 24 2005]</li> </ul> | 28-Feb-06 | Credential/Session Prediction | Insufficient Authorization | Disclosure Only | Finance | No | ||||||||||
98 | 2005-6 | WHID 2005-6: Tampering with parameters allows access to others account data on PayMaxx Inc. site | <p>Parameter tampering enabled jumping into someone else's account data on PayMaxx Inc. site </p><p>Additional information:</p> <ul> <li><a href="http://news.com.com/Payroll+site+closes+on+security+worries/2100-1029_3-5587859.html?tag=cd.hed">Payroll site closes on security worries</a> [CNet, Feb 23 2005]</li> <li><a href="http://www.thinkcomputer.com/corporate/news/pressreleases.html?id=18">Think Finds Flaw Revealing Up To 100,000 Social Security Numbers</a> [Vulnerabiliy Publisher's Site, Feb 23 2005]</li> </ul> | 2/23/2005 | Credential/Session Prediction | Insufficient Authorization | Leakage of Information | Finance | No | ||||||||||
99 | 2005-60 | WHID 2005-60: KU shuts down housing application Web site | <p>Web site used to file online for housing at KU was shutdown for lack of proper security measures to prevent visitors from viewing personal information about others </p><p>Additional information:</p> <ul> <li><a href="http://www.kansascity.com/mld/kansascity/news/local/13495104.htm">KU shuts down housing application Web site</a> [Associated Press, Dec 27 2005]</li> </ul> | 26-Feb-06 | Unknown | Unknown | Leakage of Information | Government | No | ||||||||||
100 | 2005-61 | WHID 2005-61: Gmail session management bug | <p>A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim. </p><p>Additional information:</p> <ul> <li><a href="http://www.elhacker.net/gmailbug/english_version.htm">Gmail bug</a> [elhacker.net, Oct 18 2005]</li> <li><a href="http://www.eweek.com/article2/0,1759,1889050,00.asp">Google Downplays Gmail Security Fix</a> [eWeek, Oct 18 2005]</li> </ul> | 12-Apr-06 | Credential/Session Prediction | Insufficient Authorization | Disclosure Only | Service Providers | No |