ABCDEFGHIJKLMNOPQRS
1
WHID IDEntry TitleIncident DescriptionReferenceDate OccurredAttack MethodApplication WeaknessOutcomeAttacked Entity FieldAttacked Entity GeographyMass AttackMass Attack NameNumber of Sites AffectedAttack Source GeographyAttacked System TechnologyCostItems LeakedNumber of RecordsAdditional Link
2
1999-1WHID 1999-1: eBay downplays security holeA very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.http://packetstormsecurity.org/9904-exploits/ebayla.txt4-Apr-06Cross-site Scripting (XSS)Improper Output HandlingSession HijackingRetailNo
3
2000-2WHID 2000-2: IKEA exposes customer information on catalog siteError message revealed a database file location, which could be downloaded.http://news.com.com/2100-1017-245372.html?legacy=cnet9/6/2000Unintentional Information DisclosureInsufficient AuthenticationLeakage of InformationRetailNo
4
2000-3WHID 2000-3: Gaffe at Amazon leaves email addresses exposedE-mail addresses of other customers displayed by mistake, no hacking was requiredhttp://news.com.com/2100-1017-245387.html?legacy=cnet6-Sep-00Abuse of FunctionalityApplication MisconfigurationLeakage of InformationRetailUSANo
5
2000-4WHID 2000-4: Sensitive files left unprotected on Western Union's WebSensitive files were left in a publicly accessible directory during a maintenance windowhttp://news.com.com/2100-1023-245525.html?legacy=cnet10-Sep-00Unintentional Information DisclosureInsufficient AuthorizationLeakage of InformationFinanceUSANo
6
2000-5WHID 2000-5: Eve.com exposes customers order informationView other customers orders by changing a sequential number within a URL parameterhttp://news.com.com/2100-1017-245700.html?legacy=cnet9/13/2000Credential/Session PredictionInsufficient AuthorizationLeakage of InformationRetailNo
7
2000-6WHID 2000-6: Inforeading.com defacement using command injectionExecuting local commands using URL parametershttp://www.inforeading.com/library/infoarticles/InfoReading/logs/deface/02.txt15-Dec-00OS CommandingImproper Input HandlingDefacementEntertainmentNo
8
2001-1WHID 2001-1: Travelocity exposes customer informationSensitive files were left in a publicly accessible directory of a new web server installhttp://news.com.com/2100-1017-251344.html?legacy=cnet1/22/2001Predictable Resource LocationInsufficient AuthorizationDisclosure OnlyHospitalityNo
9
2001-2WHID 2001-2: Computer E-Retailer Exposes Credit Card NumbersView other orders by changing a sequential parameter number. Security was provided by client side JavaScripthttp://www.extremetech.com/article2/0,3973,103782,00.asp6/18/2001Predictable Resource LocationInsufficient AuthorizationDisclosure OnlyRetailNo
10
2001-3WHID 2001-3: Persistent XSS in HotmailPersistent XSS HTML Injection inside an HTML email message to hotmailhttp://www.usatoday.com/tech/news/2001-08-31-hotmail-security.htm8/31/2001Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyService ProvidersNo
11
2001-4WHID 2001-4: Hacked Web site damaged PCs in JapanUsers who visited the Price Lotto site using Microsoft's IE (Internet Explorer) 4.x and 5.x, automatically downloaded malicious JavaScript that was programmed to alter the software configuration of their PCs.http://www.computerworld.com.au/article/52716/hacked_web_site_damaged_pcs_japan/8/22/2001Cross-site Scripting (XSS)Improper Output HandlingPlanting of MalwareRetailNo
12
2001-5WHID 2001-5: Privacy hole found in Verizon Wireless Web siteThe privacy hole affected users who logged on to the Verizon Wireless Web site and used the My Account feature to view or change their cell phone billing and account information. The Web site address for the feature assigns session identifications sequentially as each user logs in which allows for forceful browsing.http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.html6-Sep-01Credential/Session PredictionInsufficient AuthorizationDisclosure OnlyService ProvidersNo
13
2001-6WHID 2001-6: XSS at Microsoft Passporthttp://www.pcworld.com/news/article/0,aid,69543,00.asp11/5/2001Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyService ProvidersNo
14
2002-1WHID 2002-1: Flawed authentication at BN.com exposes personal information<p>Opening an account with a discontinued e-mail address exposes all the information of the discontinues account
</p><p>Additional information:</p>
<ul>
<li><a href="http://wired-vig.wired.com/news/ebiz/0,1272,53942,00.html">BN.com: The Hole Story</a> [Wired, Jul 19 2002]</li>
<li><a href="http://www.marktaw.com/technology/HackingBarnesAndNoble.com.html">BarnesAndNoble.com Security Flaw</a> [Personal Web Page, Jul 9 2002]</li>
<li><a href="http://itmanagement.earthweb.com/secu/article.php/3347761">Barnes &amp; Noble.com Fined for Customer Data Leak</a> [Datamation, Apr 30 2004]</li>
</ul>		7/19/2002Predictable Resource LocationInsufficient Password RecoveryLeakage of InformationRetailNo
15
2002-2WHID 2002-2: Advogato XSS virus account<p>Additional information:</p>
<ul>
<li><a href="http://www.bindshell.net/papers/xssv/advogato/">Advogato xss virus account</a> [Bindshell, Sep 21 2002]</li>
</ul>		11-Jul-05Cross-site Request Forgery (CSRF)Improper Output HandlingWormTechnologyNo
16
2002-3WHID 2002-3: Reuters accused of hacking<p>A company put its earnings report on site before its official release, but did not linked to it. Reuters found the document and published it.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/2100-1023-963658.html">Reuters accused of hacking</a> [Cnet, Nov 29 2002]</li>
</ul>		11/26/2002Unintentional Information DisclosureInsufficient AuthorizationLeakage of InformationTechnologyNo
17
2002-4WHID 2002-4: Tower Records settles charges over hack attacks<p>View other customers orders by changing a guessable number within a URL parameter
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/news/8508">Tower Records settles charges over hack attacks</a> [Security Focus, Apr 21 2004]</li>
<li><a href="http://news.com.com/2100-1017-976271.html">Tower Records site exposes data</a> [CNet, Dec 5 2002]</li>
</ul>		4/21/2004Predictable Resource LocationInsufficient AuthorizationLeakage of InformationRetailNo
18
2003-1WHID 2003-1: FTD.com hole leaks personal information<p>View other customers information by modifying a cookie
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/2100-1017-984585.html">FTD.com hole leaks personal information</a> [CNet, Feb 13 2003]</li>
</ul>		2/13/2003Credential/Session PredictionInsufficient AuthenticationLeakage of InformationRetailNo
19
2003-2WHID 2003-2: UT Austin hack yields personal info on thousands<p>While an old incident, further research into it suggest that it was a web hack. While the initial reports talk about a database break in, a report in the Register identify the database as txClass, which is a web based system.<br />55,200 social security numbers where stolen, though the hacker claimed that he did not perform the act for profit. He was caught and sentenced to 5 years probation.
</p><p>Additional information:</p>
<ul>
<li><a href="https://www.utexas.edu/datatheft/">Data Theft Incident Response</a> [UofT, Sep 7 2005]</li>
<li><a href="http://www.theregister.co.uk/2003/03/18/student_owns_up_to_texas/">Student owns up to Texas Uni cyber-heist</a> [The Register, Mar 18 2003]</li>
<li><a href="http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79102,00.html">UT Austin hack yields personal info on thousands</a> [Computer World, Mar 6 2003]</li>
<li><a href="http://www.securityfocus.com/news/2935">Hackers steal names, Social Security numbers from University of Texas database</a> [Security Focus, Mar 6 2006]</li>
</ul>		4-Apr-06Brute ForceInsufficient Anti-automationLeakage of InformationEducationNo
20
2003-3WHID 2003-3: User passwords could be stolid in Microsoft&#039;s Passport service<p>Additional information:</p>
<ul>
<li><a href="http://news.zdnet.co.uk/business/0,39020645,2134469,00.htm">Microsoft faces huge fine over security</a> [Zdnet, May 9 2003]</li>
<li><a href="http://www.atnewyork.com/news/article.php/2203651">Microsoft Patches .NET Passport Hole</a> [AnyNetwork, May 8 2003]</li>
</ul>		5/9/2003Predictable Resource LocationInsufficient Password RecoveryDisclosure OnlyService ProvidersNo
21
2003-4WHID 2003-4: SQL injection on Guess site triggers an FTC inquiry<p>Additional information:</p>
<ul>
<li><a href="http://www.ftc.gov/opa/2003/06/guess.htm">Guess Settles FTC Security Charges</a> [FTC Web Site, Jun 18 2003]</li>
</ul>		6/18/2003SQL InjectionImproper Input HandlingDisclosure OnlyRetailNo
22
2003-5WHID 2003-5: Car shoppers&#039; credit details exposed in bulk<p>User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/news/7067">Car shoppers' credit details exposed in bulk</a> [Security Focus, Sep 25 2003]</li>
</ul>		9/25/2003Predictable Resource LocationInsufficient AuthorizationLeakage of InformationAutomotiveNo
23
2003-6WHID 2003-6: Mississippi man blackmails Best Buy<p>A person convicted of blackmailing Best Buy. He threatened to expose a breach in the company's web site if not paid $2.5 million.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.zdnet.com/2100-1009_22-5136932.html?tag=nl">Mississippi man denies Best Buy blackmail</a> [ZDnet, Jan 7 2004]</li>
<li><a href="http://news.zdnet.com/2100-1009_22-5980008.html">Police blotter: Best Buy 'hacker' loses in court</a> [Zdnet, Dec 2 2005]</li>
<li><a href="http://caselaw.lp.findlaw.com/data2/circs/8th/051655p.pdf">Appeals Court's Opinion</a> [, Nov 22 2005]</li>
</ul>		26-Feb-06UnknownUnknownExtortionRetailNo
24
2003-7WHID 2003-7: Victoria&#039;s Secret reveals far too much<p>View other customers orders by changing a sequential number within a URL parameter
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.cbsnews.com/stories/2003/10/22/tech/main579547.shtml">Victoria's Secret Reveals Too Much</a> [CBS News, Oct 22 2003]</li>
<li><a href="http://cooltech.iafrica.com/technews/280300.htm">Victoria's Secret reveals far too much</a> [iAfrica, Oct 24 2003]</li>
</ul>		10/22/2003Predictable Resource LocationInsufficient AuthorizationDisclosure OnlyRetailNo
25
2003-8WHID 2003-8: SQL Injection in PetCo.com leads to FTC investigation<p>Additional information:</p>
<ul>
<li><a href="http://www.infoworld.com/article/04/11/17/HNpetco_1.html">Petco settles charge it left customer data exposed</a> [Infoeworld, Nov 17 2004]</li>
<li><a href="http://www.securityfocus.com/news/9957">Petco settles with FTC over cyber security gaffe</a> [Security Focus, Nov 17 2004]</li>
<li><a href="http://www.securityfocus.com/news/7581">FTC investigates PetCo.com security hole</a> [Security Focus, Dec 5 2003]</li>
</ul>		11/17/2004SQL InjectionImproper Input HandlingDisclosure OnlyRetailNo
26
2003-9WHID 2003-9: Defenses lacking at social network sites<p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/news/7739">Defenses lacking at social network sites</a> [Security Focus, Dec 31 2003]</li>
</ul>		12/31/2003Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyWeb 2.0No
27
2004-1WHID 2004-1: Biggest Web Problem Isn&#039;t About Privacy, It&#039;s Sloppy Security - OpenTable<p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes1.txt">Biggest Web Problem Isn't About Privacy, It's Sloppy Security</a> [Wallstreet Journal (Archive Copy), Jan 26 2004]</li>
</ul>		4-Aug-05Credential/Session PredictionInsufficient AuthenticationLeakage of InformationHospitalityNo
28
2004-10WHID 2004-10: SQL Injection and XSS on presidential campaign web sitesOn Sunday, security analyst Richard Smith did a quick check of the Bush and Kerry campaign sites and found several security problems on each, all of which are common on many other websites.http://www.wired.com/techbiz/it/news/2004/06/640366/30/2004SQL InjectionImproper Input HandlingDisclosure OnlyPoliticsNo
29
2004-11WHID 2004-11: Phishers Manipulate SunTrust Site to Steal Data<p>Phishing based on XSS
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.netcraft.com/archives/2004/09/28/phishers_manipulate_suntrust_site_to_steal_data.html">Phishers Manipulate SunTrust Site to Steal Data</a> [NetCraft, Sep 28 2004]</li>
</ul>		9/28/2004Cross-site Scripting (XSS)Improper Output HandlingPhishingFinanceUSANo
30
2004-12WHID 2004-12: XSS in Gmail<p>An XSS was found in G-Mail
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2004/10/29/gmail_vuln/">Gmail accounts 'wide open to exploit' - report</a> [The Register, Oct 29 2004]</li>
<li><a href="http://net.nana.co.il/Article/?ArticleID=155025&amp;sid=10">NetLife Exclusive: Security hole found in Gmail</a> [Nana NetLife, Oct 27 2004]</li>
</ul>		11-Jul-05Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyHosting ProvidersNo
31
2004-13WHID 2004-13: SunTrust site XSS vulnerability exploited by for phishing<p>Phishing based on XSS (Same vulnerability but a different attack that the similar September 2004 attack)
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.fool.com/News/mft/2004/mft04120810.htm">Do Online Banks Facilitate Fraud?</a> [The Motley Fool, Dec 8 2004]</li>
<li><a href="http://news.netcraft.com/archives/2004/12/06/suntrust_site_exploited_by_fraudsters.html">SunTrust site exploited by fraudsters</a> [NetCraft, Dec 6 2004]</li>
</ul>		8-Nov-05Cross-site Scripting (XSS)Improper Output HandlingPhishingFinanceNo
32
2004-14WHID 2004-14: Santy worm defaces websites using PHP bug<p>Worm used Google to locate sites vulnerable to OS</p>
<p>Additional information:</p>
<ul>
<li><a href="http://news.bbc.co.uk/1/hi/technology/4117711.stm">Santy worm makes unwelcome visit</a> [BBC, Dec 22 2004]</li>
<li><a href="http://isc.sans.org/diary.php?date=2004-12-21">Santy worm defaces websites using php bug</a> [Sans Storm Center, Dec 21 2004]</li>
</ul>		22-Dec-04OS CommandingImproper Input HandlingWormMultipleNoVariousphpBB
33
2004-15WHID 2004-15: New Variant of Santy Worm Spreads<p>phpBB worm</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.frsirt.com/exploits/20041225.PhpIncludeWorm.php">PHP Scripts Automated Arbitrary File Inclusion</a> [Vulnerabiliy Publisher's Site, Dec 25 2004]</li>
<li><a href="http://www.pcworld.com/news/article/0,aid,119051,pg,1,RSS,RSS,00.asp">New Variant of Santy Worm Spreads</a> [PC World, Dec 27 2004]</li>
<li><a href="http://www.computerworld.com/securitytopics/security/holes/story/0,10801,98553,00.html">Santy.E worm poses threat to sites badly coded in PHP </a> [Computer World, Dec 27 2004]</li>
</ul>		25-Dec-04OS CommandingImproper Input HandlingWormMultipleNophpBB
34
2004-16WHID 2004-16: Lycos Free Email XSS<p>An XSS was found in Lycos Web Mail
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securiteam.com/securitynews/6A00N20C1C.html">Lycos Free Email Cross-Site Scripting Vulnerability</a> [SecriTeam, Dec 27 2004]</li>
</ul>		11-Jul-05Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyHosting ProvidersNo
35
2004-17WHID 2004-17: The CardSystems breach was an SQL Injection hack (Updated)<p><em><strong>Update (May 27th 2009)</strong></em> - The CardSystems incident is refusing to die. Merrick Back is now <a href="http://www.courthousenews.com/2009/05/26/Merrick.pdf">suing Savvis</a> for certifying CardSystems as CISP compliant while it systems where wide open. CISP is a VISA program for certifying credit card processing systems which existed prior to PCI DSS.</p>
<p>The actual damage to an organization of an attack is rarely disclosed, and coverage focuses on the Number_of_Records stolen. In the court documents Merrick reveals that its own damage from the CardSystems incident was $16,000,000! The money was paid to card holders to compensate for losses and for legal fees and fines.</p>
<p>The case is also interesting as it put to test the liability of the certifying entity (in this case Savvis) resulting from assessing. The results may have profound influence on the PCI QSA market and therefore PCI itself. David Navetta posts an <a href="http://infoseccompliance.com/2009/06/03/merrick-bank-v-savvis-analysis-of-the-merrick-bank-complaint/">excellent legal analysis</a> of the potential implications of the lawsuit.</p>
<hr />
<p>This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.</p>
<p>But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.</p>
<p>Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.</p>
<p>This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1180411,00.html">Cleaning up after a hack job: CardSystems' Christensen</a> [Information Security (mirror), Apr 14 2006]</li>
<li><a href="http://www.ftc.gov/os/caselist/0523148/0523148complaint.pdf">FTC complain In the Matter of CardSystems Solutions</a> [FTC, ]</li>
<li><a href="http://wiki.midrange.com/index.php/CardSystems">Midrange CardSystems Wiki</a> [Midrange, ]</li>
<li><a href="http://www.webappsec.org/lists/websecurity/archive/2006-04/msg00051.html">CardSystems was a Web Application Hack</a> [Cesar Cerrudo, <a href="http://www.argeniss.com">Argeniss</a>, Apr 18 2006]</li>
<li><a href="http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html">CardSystems Exposes 40 Million Identities</a> [Bruce Schneier, Jun 23 2005]</li>
</ul>		20-Apr-06SQL InjectionImproper Input HandlingCredit Card LeakageFinanceNoCredit Card Number40,000,000
36
2004-18WHID 2004-18: Security flaw exposed in Cahoot bank accounts<p>Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.
</p><p><br />The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.
</p><p><br />We somehow missed this story so it finds its way to WHID only now in late 2007.
</p><p>Additional information:</p>
<ul>
<li><a href="http://software.silicon.com/security/0,39024655,39125639,00.htm">Security flaw exposed in Cahoot bank accounts</a> [Silicon.com, Oct 5 2004]</li>
<li><a href="http://software.silicon.com/security/0,39024655,39125665,00.htm">Leader: Not another security scare</a> [Silicon.com, Oct 5 2004]</li>
<li><a href="http://news.bbc.co.uk/2/hi/business/3984845.stm">Cahoot hit by web security scare</a> [BBC, Oct 5 2004]</li>
</ul>		25-Oct-07Predictable Resource LocationInsufficient AuthenticationDisclosure OnlyFinanceNo
37
2004-2WHID 2004-2: Biggest Web Problem Isn&#039;t About Privacy, It&#039;s Sloppy Security - Saks<p>Additional information:</p>

<ul>

<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes1.txt">Biggest Web Problem Isn't About Privacy, It's Sloppy Security</a> [Wallstreet Journal (Archive Copy), Jan 26 2004]</li>

</ul>		http://www.cs.umass.edu/~kevinfu/news/wsj-gomes1.txt4-Aug-05Predictable Resource LocationInsufficient AuthorizationLeakage of InformationRetailNo
38
2004-3WHID 2004-3: More Scary Tales Involving Big Holes In Web-Site Security - Iomega<p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>
</ul>		4-Aug-05Predictable Resource LocationInsufficient AuthorizationLeakage of InformationRetailNo
39
2004-4WHID 2004-4: More Scary Tales Involving Big Holes In Web-Site Security - Kohl's<p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>
</ul>		4-Aug-05Predictable Resource LocationInsufficient AuthorizationLeakage of InformationRetailNo
40
2004-5WHID 2004-5: More Scary Tales Involving Big Holes In Web-Site Security - Gateway<p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>
</ul>		4-Aug-05Credential/Session PredictionInsufficient AuthenticationLeakage of InformationTechnologyNo
41
2004-6WHID 2004-6: More Scary Tales Involving Big Holes In Web-Site Security - Tiffany<p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>
</ul>		http://www.cs.umass.edu/~kevinfu/news/wsj-gomes2.txt4-Aug-05SQL InjectionImproper Input HandlingLeakage of InformationRetailNo
42
2004-7WHID 2004-7: More Scary Tales Involving Big Holes In Web-Site Security - University Sub Service<p>Additional information:</p>

<ul>

<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>

</ul>		http://www.cs.umass.edu/~kevinfu/news/wsj-gomes2.txt4-Aug-05Predictable Resource LocationInsufficient AuthorizationLeakage of InformationEducationNo
43
2004-8WHID 2004-8: Broadcast TV announcements changed by hacking the stations web site<p>Previously moderated weather announcements could be changed by the user
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/news/8191">Pranksters bedevil TV weather announcment system</a> [Security Focus, Mar 4 2004]</li>
</ul>		3/4/2004Abuse of FunctionalityInsufficient Process ValidationDisinformationMediaNo
44
2004-9WHID 2004-9: Billing and personal information leakage due to lack of authentication on a phone company web site<p>A billing information system required only phone number and zip code to pull up account details
</p><p>Additional information:</p>
<ul>
<li><a href="http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci969836,00.html">A security tale: From vulnerability discovery to disaster</a> [Search Security, Jun 14 2004]</li>
</ul>		6/14/2004Predictable Resource LocationInsufficient AuthenticationLeakage of InformationService ProvidersNo
45
2005-1WHID 2005-1: Gmail Bug Exposes E-mails messages of other users<p>Parameter tampering enabled exposing sensitive information in G-Mail
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.betanews.com/article/Gmail_Bug_Exposes_Emails_to_Hackers/1105561408">Gmail Bug Exposes E-mails to Hackers</a> [Beta News, Jan 12 2005]</li>
<li><a href="http://it.slashdot.org/article.pl?sid=05/01/12/1655246&amp;tid=172&amp;tid=215&amp;tid=217&amp;tid=218">Gmail Messages Are Vulnerable To Interception</a> [Slash.Dot, Jan 12 2005]</li>
</ul>		11-Jul-05Predictable Resource LocationImproper Input HandlingDisclosure OnlyHosting ProvidersNo
46
2005-10WHID 2005-10: Indian SATs results leaking<p>Additional information:</p>
<ul>
<li><a href="http://blogs.law.harvard.edu/philg/comments?u=philg&amp;p=7726&amp;link=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F2005%2F03%2F08%23a7726#a7777">Indian SATs results leaking</a> [Blog talkback, Mar 10 2005]</li>
</ul>		8-Nov-05Unintentional Information DisclosureInsufficient AuthenticationDisclosure OnlyEducationNo
47
2005-11WHID 2005-11: Samy XSS Worm Hits MySpace<p>The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://ha.ckers.org/blog/20070310/my-lunch-with-samy/">My Lunch With Samy</a> [ha.ckers, Mar 10 2007]</li>
<li><a href="http://fast.info/myspace/">MySpace XSS worm writer notes</a> [bindshell, Apr 10 2005]</li>
<li><a href="http://www.bindshell.net/papers/xssv/myspace/code/">MySpace XSS worm source</a> [bindshell, Apr 10 2005]</li>
<li><a href="http://namb.la/popular/tech.html">MySpace XSS virus development</a> [bindshell, Apr 10 2005]</li>
<li><a href="http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391">Cross-Site Scripting Worm Hits MySpace</a> [Beta News, Apr 10 2005]</li>
</ul>		8-Nov-05Cross-site Scripting (XSS)Improper Output HandlingWormWeb 2.0No
48
2005-12WHID 2005-12: Insufficient authentication on Arbela mutual insurance allowed access to private data<p>Extranet system accessible to the public
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.boston.com/business/technology/articles/2005/05/05/insurers_website_error_reveals_data_on_drivers/?rss_id=Boston+Globe+">Insurer's website breach reveals data on drivers</a> [The Boston Globe, May 5 2005]</li>
</ul>		5/5/2005Unintentional Information DisclosureInsufficient AuthenticationDisclosure OnlyRetailNo
49
2005-13WHID 2005-13: Hacker attacked weak point on Kakaku.com's Web Site<p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/isn/2005/May/0041.html">Web sites get costly lesson in security</a> [Asahi (Japan), May 18 2005]</li>
<li><a href="http://www.cdrinfo.com/forum/tm.asp?m=110616&amp;mpage=1&#110616">Hacker attacked weak point on Kakaku.com's Web Site</a> [Asahi (Japan), May 25 2005]</li>
</ul>		5/25/2005SQL InjectionImproper Input HandlingDowntimeRetailNo
50
2005-14WHID 2005-14: XSS on Microsoft Xbox site allowed phishing<p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/Microsoft+plugs+phishing+hole+in+Xbox+site/2100-1029_3-5720241.html?tag=nl">Microsoft plugs phishing hole in Xbox site</a> [news.com, May 25 2005]</li>
</ul>		8-Nov-05Cross-site Scripting (XSS)Improper Output HandlingPhishingEntertainmentNo
51
2005-15WHID 2005-15: Unprotected information on the University of Chicago web site<p>Files containing sensitive information left unprotected on the web server
</p><p>Additional information:</p>
<ul>
<li><a href="http://incidentresponse.uchicago.edu/">University of Chicago</a> [Victim's Site, May 30 2005]</li>
<li><a href="http://maroon.uchicago.edu/news/articles/2005/05/27/private_records_disc.php">Private records discovered on server</a> [Chicago Maroon, May 27 2005]</li>
</ul>		5/30/2005Unintentional Information DisclosureInsufficient AuthenticationLeakage of InformationEducationNo
52
2005-16WHID 2005-16: MSN site hacked in South Korea<p>The web site was modified to include password stealing code
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.usatoday.com/tech/news/2005-06-02-hacked_x.htm">Microsoft admits MSN site hacked in South Korea</a> [USA Today, Jun 2 2005]</li>
<li><a href="http://abcnews.go.com/Technology/wireStory?id=817338">MSN Site Hacking Went Undetected for Days</a> [ABC News, Jun 3 2005]</li>
</ul>		6/2/2005UnknownUnknownSession HijackingSearch EnginesNo
53
2005-17WHID 2005-17: Leakage of information due to XSS in Hotmail<p>Additional information:</p>
<ul>
<li><a href="http://www.vnunet.com/vnunet/news/2137707/hotmail-hack-fixed">Microsoft fixes Hotmail hack</a> [VUnet, Jun 9 2005]</li>
<li><a href="http://www.theregister.co.uk/2005/06/08/hotmail_hack/">Hotmail users exposed to cookie snaffling exploit</a> [The Registrer, Jun 8 2005]</li>
<li><a href="http://www.pcmag.com/article2/0,1759,1825250,00.asp">MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes</a> [PC Magazine, Jun 7 2005]</li>
<li><a href="http://news.com.com/MSN+flaw+put+Hotmail+accounts+at+risk/2100-1002_3-5734448.html?part=rss&amp;tag=5734448&amp;subj=news">MSN flaw put Hotmail accounts at risk</a> [CNet, Jun 6 2005]</li>
<li><a href="http://www.net-force.nl/files/articles/hotmail_xss/">Hacking hotmail, by Alex de Vries</a> [Personal Web Page, Jun 4 2005]</li>
</ul>		6/9/2005Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyHosting ProvidersNo
54
2005-18WHID 2005-18: Hacker hits Duke system<p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/isn/2005/Jun/0005.html">Hacker hits Duke system</a> [The News Observer, Jun 5 2005]</li>
</ul>		6/27/2005UnknownUnknownLeakage of InformationEducationNo
55
2005-19WHID 2005-19: Privacy Fears due to insufficient authentication on CVS drugstore chain web site<p>Additional information:</p>
<ul>
<li><a href="http://www.computerworld.com/securitytopics/security/story/0,10801,102773,00.html">Privacy Fears Prompt CVS To Turn Off Online Service </a> [Computer World, Jun 27 2005]</li>
</ul>		6/7/2005Credential/Session PredictionInsufficient AuthorizationDisclosure OnlyRetailNo
56
2005-2WHID 2005-2: Froogle XSS<p>An XSS was found in Froogle
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2005/01/17/google_security_bugs/">Google plugs brace of GMail security flaws</a> [The Register, Jan 14 2005]</li>
<li><a href="http://www.eweek.com/article2/0,1759,1751689,00.asp">Google Plugs Cookie-Theft Data Leak</a> [eWeek, Jan 14 2005]</li>
<li><a href="http://packetstormsecurity.nl/0501-exploits/froogleCookie.txt">Froogle XSS</a> [Packet Storm, ]</li>
</ul>		11-Jul-05Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlySearch EnginesNo
57
2005-20WHID 2005-20: Security gaps found in EPA contracting system<p>An audit of a major Environmental Protection Agency contract management system uncovered significant security lapses that, if exploited by hackers, could have serious consequences for the agency's operations, assets and personnel. The audit focused on lack of monitoring for known vulnerabilities on these systems.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.govexec.com/dailyfed/0206/020306p1.htm"> Security gaps found in EPA contracting system</a> [GovExec, Feb 3 2006]</li>
<li><a href="http://www.epa.gov/oig/reports/2006/20060131-2006-P-00010.pdf">Information Security Series: Security Practices - Integrated Contract Management System</a> [EPA, Jan 31 2006]</li>
</ul>		26-Feb-06Known VulnerabilityApplication MisconfigurationDisclosure OnlyGovernmentNo
58
2005-21WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants dataA person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.4/20/2006SQL InjectionImproper Input HandlingDisclosure OnlyEducationNo
59
2005-22WHID 2005-22: MS UK defaced in hacking attack<p>Microsoft UK site defaced due to server misconfiguration
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2005/07/06/msuk_hacked/">MS UK defaced in hacking attack</a> [The Register, Jul 6 2005]</li>
<li><a href="http://www.zone-h.org/index2.php?option=com_mirrorwrp&amp;Itemid=43&amp;id=2531794">MS UK Zone-H defacements archive</a> [Zone-H, Jul 6 2005]</li>
</ul>		11-Jul-05MisconfigurationApplication MisconfigurationDefacementTechnologyNo
60
2005-23WHID 2005-23: Chinese hacker held in Web data theft<p>The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.contentguarder.com/news/web-content-news-0009.htm">Chinese hacker held in Web data theft</a> [Asahi Shimbun, Jul 7 2005]</li>
</ul>		http://www.contentguarder.com/news/web-content-news-0009.htm11-Jul-05SQL InjectionImproper Input HandlingLeakage of InformationHospitalityNo
61
2005-24WHID 2005-24: Firefox marketing site hacked<p>Additional information:</p>
<ul>
<li><a href="http://news.zdnet.com/2100-1009_22-5790030.html">Firefox marketing site hacked</a> [Zdnet, Jul 15 2005]</li>
<li><a href="http://news.com.com/Firefox+marketing+site+hacked/2100-7349_3-5790030.html?part=rss&amp;tag=5790030&amp;subj=news">Firefox marketing site hacked</a> [C-Net, Jul 15 2005]</li>
<li><a href="http://arstechnica.com/news.ars/post/20050715-5101.html">Promotional firefox community site hacked</a> [ars technica, Jul 15 2005]</li>
<li><a href="http://www.eweek.com/article2/0,1759,1837657,00.asp?kc=EWRSS03119TX1K0000594">SpreadFirefox Site Hacked, Data Leaked</a> [eWeek, Jul 15 2005]</li>
<li><a href="http://www.spreadfirefox.com/node/16836">Spread Firefox Downtime</a> [Spread Firefox, Jul 15 2005]</li>
<li><a href="http://www.networkworld.com/news/2005/071505-mozilla-hack.html?fsrc=rss-security">Mozilla marketing site hacked</a> [Network World, Jul 15 2005]</li>
</ul>		15-Jul-05UnknownUnknownLeakage of InformationTechnologyNo
62
2005-25WHID 2005-25: No Charges Filed Yet Against South Charlotte Computer Hacker<p>A man hacked into a competing web site
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.wsoctv.com/news/4773654/detail.html">No Charges Filed Yet Against South Charlotte Computer Hacker</a> [WSOC-TV, Jul 26 2005]</li>
</ul>		31-Jul-05UnknownUnknownLeakage of InformationEducationNo
63
2005-26WHID 2005-26: NISCC reveals SAP R/3 security flaw<p>Additional information:</p>
<ul>
<li><a href="http://www.computerweekly.com/Home/Articles/2005/07/28/211124/NISCCrevealsSAPR3securityflaw.htm">NISCC reveals SAP R/3 security flaw</a> [Computer Weekly, Jul 28 2005]</li>
</ul>		http://www.computerweekly.com/Articles/2005/07/28/211124/NISCC-reveals-SAP-R3-security-flaw.htm31-Jul-05Path TraversalImproper Input HandlingDisclosure OnlyTechnologyNo
64
2005-27WHID 2005-27: Phishers hack eBay<p>A bug in an eBay site allowed Phishers to redirect users to their own servers after feeling details at the genuine eBay site
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.macworld.com/news/2005/08/02/phishers/index.php?lsrc=mwrss">Phishers hack eBay</a> [MacWorld, Aug 2 2005]</li>
</ul>		8-Aug-05RedirectionImproper Input HandlingPhishingRetailNo
65
2005-28WHID 2005-28: Phishers Steal Trust from eBay Sign In PagesPhishers Steal Trust from eBay Sign In Pageshttp://news.netcraft.com/archives/2005/07/29/phishers_steal_trust_from_ebay_sign_in_pages.html6-Sep-00RedirectionImproper Input HandlingPhishingRetailCampbell, CANo
66
2005-29WHID 2005-29: Security issues in interactive hotel TVs<p>While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.wired.com/news/privacy/0,1848,68370,00.html">A Hacker Games the Hotel </a> [Wired, Jul 30 2005]</li>
</ul>		31-Jul-05Credential/Session PredictionInsufficient AuthenticationDisclosure OnlyHospitalityNo
67
2005-3WHID 2005-3: Misconfiguration issues in paid wireless access and billing applications<p>Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.thinkcomputer.com/corporate/news/pressreleases.html?id=17">Think Discovers Critical Flaws in U.S. Transportation Security</a> [Vulnerabiliy Publisher's Site, Feb 1 2005]</li>
</ul>		2/1/2005Unintentional Information DisclosureDirectory IndexingLeakage of InformationService ProvidersNo
68
2005-30WHID 2005-30: Blogger Developers Network Blog Cracked<p>Official answer from Blogger was that this was not the result of a hack attempt but of a subtle bug that occurred because our Developer's Network blog is a special case [it's got two names, 'code.blogger.com' and 'code.blogspot.com'].
</p><p>Additional information:</p>
<ul>
<li><a href="http://google-blog.dirson.com/post.new/0272/">Blogger Developers Network Blog Cracked</a> [, Jul 31 2005]</li>
</ul>		4-Aug-05Administration ErrorApplication MisconfigurationDefacementBlogsNo
69
2005-31WHID 2005-31: Hacker forced new planet discovery out of the closet<p>Additional information:</p>
<ul>
<li><a href="http://www.theinquirer.net/?article=25031">Hacker forced new planet discovery out of the closet </a> [The Inquierer, Aug 1 2005]</li>
</ul>		4-Aug-05UnknownUnknownExtortionEducationNo
70
2005-32WHID 2005-32: Weak password recovery on Citrix's site<p>Weak password recovery procedure at Citrix
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/archive/107/407243/30/0/threaded">Example of the worst passwd recovery interface</a> [WebAppSec mailing list, Aug 3 2005]</li>
</ul>		8-Aug-05Unintentional Information DisclosureInsufficient Password RecoveryDisclosure OnlyService ProvidersNo
71
2005-33WHID 2005-33: Insufficient authorization on Verizon's MyAccount feature<p>A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.washingtonpost.com/wp-dyn/content/article/2005/08/11/AR2005081102122.html">Glitch on Verizon Wireless Web Site Left Data at Risk</a> [Washington Post, Aug 12 2005]</li>
</ul>		22-Aug-05Credential/Session PredictionInsufficient AuthorizationDisclosure OnlyService ProvidersNo
72
2005-34WHID 2005-34: Man logs into dabs.com misc customer account<p>Additional information:</p>
<ul>
<li><a href="http://www.channelregister.co.uk/2005/08/18/dabs_password_misdirected/">Man logs into dabs.com customer account shocker</a> [channel register, Aug 18 2005]</li>
</ul>		22-Aug-05Abuse of FunctionalityInsufficient Password RecoveryLeakage of InformationRetailNo
73
2005-35WHID 2005-35: Stanford University web sites defaced using XMLRPC bug<p>Sites where defaced by utilizing an issue in an XMLRPC library used by PHP
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.zone-h.org/en/news/read/id=205962/">Brazilian defacers hack hundreds of Stanford University web sites</a> [Zone-H, Aug 21 2005]</li>
</ul>		23-Aug-05OS CommandingImproper Input HandlingDefacementEducationNo
74
2005-36WHID 2005-36: Predictable delay in an online poker game enabled users to beat the casino<p>A player of an online game discovered that considerable delay hinted on the cards the dealer holds.
</p><p>Additional information:</p>
<ul>
<li><a href="http://haacked.com/archive/2005/08/29/9748.aspx">Online Games Are Written By Humans</a> [Personal , Aug 29 2005]</li>
</ul>		4-Sep-05Unintentional Information DisclosureAbuse of FunctionalityMonetary LossEntertainmentNo
75
2005-37WHID 2005-37: A 12 years old hacked an online game and stole game items<p>A 12 years old guess login information of a woman and abused her account, stealing game items from her.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.buslab.org/index.php/content/view/22317/2/">Boy, 12, referred to child guidance center for hacking into online game site</a> [Manchini Daily News, Sep 7 2005]</li>
</ul>		12-Sep-05Brute ForceInsufficient Anti-automationInformation WarfareEntertainmentNo
76
2005-38WHID 2005-38: Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers<p>Teen convicted of threatening an ISP with DOS attack, among other computer hacking activities
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&amp;STORY=/www/story/09-08-2005/0004103380&amp;EDATE=">Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers </a> [Press Release, Sep 8 2005]</li>
</ul>		12-Sep-05Denial of ServiceInsufficient Anti-automationExtortionService ProvidersNo
77
2005-39WHID 2005-39: Promotional Firefox community site hacked (again)<p>Exploited unpatched Twiki
</p><p>Additional information:</p>
<ul>
<li><a href="http://arstechnica.com/news.ars/post/20051004-5383.html">Promotional Firefox community site hacked (again)</a> [ARStechnica, Oct 4 2005]</li>
<li><a href="http://www.net-security.org/article.php?id=836">SpreadFirefox.com Community Website Hacked Once Again</a> [ARStechnica, Oct 4 2005]</li>
</ul>		8-Nov-05OS CommandingImproper Input HandlingLeakage of InformationTechnologyNo
78
2005-4WHID 2005-4: An Israeli debate site vulnerable to XSS<p>An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.nrg.co.il/online/10/ART1/049/017.html">Identity theft in Hyde Park</a> [nrg.co.il, Feb 16 2005]</li>
</ul>		2/16/2005Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyPoliticsNo
79
2005-40WHID 2005-40: Defacement of several Novell websites<p>Script upload due to a scoop known vulnerability
</p><p>Additional information:</p>
<ul>
<li><a href="http://lists.suse.com/archive/suse-security-announce/2005-Oct/0001.html">Defacement of several Novell websites</a> [Mailing list post, Oct 4 2005]</li>
</ul>		8-Nov-05Administration ErrorApplication MisconfigurationDefacementTechnologyNo
80
2005-41WHID 2005-41: XSS on Google&#039;s AdWords enables phishing<p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/Google+fixes+Web+site+security+bug/2100-1002_3-5892525.html?part=rss&amp;tag=5892525&amp;subj=news">Google fixes Web site security bug</a> [News.com, Oct 10 2005]</li>
</ul>		10-Nov-05Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlySearch EnginesNo
81
2005-42WHID 2005-42: Default password in a common application used by schools<p>The software has a default password for teachers, enabling anyone to access the system with teachers privileges.
</p><p>Additional information:</p>
<ul>
<li><a href="http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/10/21/SNAFU.TMP"> Software glitch reveals private data for thousands of state's students<br />
S.F. administrators close program to update passwords</a> [Sfgate, Oct 21 2005]</li>
</ul>		10-Nov-05Administration ErrorInsufficient AuthenticationLeakage of InformationEducationNo
82
2005-43WHID 2005-43: XSS in Yahoo&#039;s Web mail enables phishing<p>XSS in Yahoo mail, Allows phishing
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/Yahoo+fixes+Web+mail+security+flaw/2100-1002_3-5907383.html">Yahoo fixes Web mail security flaw</a> [News.com, Oct 21 2005]</li>
</ul>		10-Nov-05Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyHosting ProvidersNo
83
2005-44WHID 2005-44: Xoops web site hacked<p>Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.xoops.org/modules/news/article.php?storyid=2639">Xoops web site hacked</a> [Vendor Web Site, Oct 28 2005]</li>
</ul>		8-Nov-05Administration ErrorApplication MisconfigurationLeakage of InformationTechnologyNo
84
2005-46WHID 2005-46: Teen uses SQL injection to break to a security magazine web site<p>A high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customer's information.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.taipeitimes.com/News/front/archives/2006/01/22/2003290158">Teenage hacker facing court case for data theft</a> [Taipe Times, Jan 22 2006]</li>
</ul>		http://www.taipeitimes.com/News/front/archives/2006/01/22/200329015826-Feb-06SQL InjectionImproper Input HandlingLeakage of InformationMediaNo
85
2005-47WHID 2005-47: SEC Vs. The Estonian Spiders<p>Business wire allowed access to non published press releases.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.webpronews.com/topnews/topnews/wpn-60-20051102SECVsTheEstonianSpiders.html">SEC Vs. The Estonian Spiders</a> [Web Pro News, Nov 2 2005]</li>
</ul>		8-Nov-05Process AutomationInsufficient Anti-automationLeakage of InformationFinanceNo
86
2005-48WHID 2005-48: Insufficient authorization on Papa John's Pizza chain web site<p>Additional information:</p>
<ul>
<li><a href="http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0156.html">Zero Day Pizza Party - Yo Noid Advisory #00001</a> ["Full Disclosure" Mailing List, Nov 7 2005]</li>
<li><a href="http://news.com.com/Pizza+chain+caught+without+fully+baked+security/2100-7349_3-5938572.html">Pizza chain caught without fully baked security</a> [Cnet, Nov 7 2005]</li>
</ul>		10-Nov-05Predictable Resource LocationInsufficient AuthorizationLeakage of InformationRetailNo
87
2005-49WHID 2005-49: Google Base launched with security hole<p>XSS in Google Base search function
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.pcworld.idg.com.au/index.php/id;751088708;fp;2;fpid;1">Google Base launched with security hole</a> [PC World, Nov 21 2005]</li>
<li><a href="http://jibbering.com/blog/?p=189">More Google security failures</a> [Jibbering.com, Nov 16 2005]</li>
</ul>		28-Feb-06Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlySearch EngineNo
88
2005-5WHID 2005-5: Paris Hilton&#039;s T-Mobile online account hacked<p>Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.washingtonpost.com/wp-dyn/content/article/2005/05/19/AR2005051900711.html">Paris Hilton Hack Started With Old-Fashioned Con</a> [Washington Post, May 19 2005]</li>
<li><a href="http://www.pcworld.com/news/article/0,aid,119851,00.asp">Paris Hilton: Victim of T-Mobile's Web Flaws?</a> [PCWorld, Mar 1 2005]</li>
<li><a href="http://www.wired.com/news/privacy/0,1848,66735,00.html">Known Hole Aided T-Mobile Breach</a> [Wired.com, Feb 28 2005]</li>
<li><a href="http://www.macdevcenter.com/pub/a/mac/2005/01/01/paris.html">How Paris Got Hacked?</a> [O'Reilly Network, Feb 22 2005]</li>
</ul>		11-Jul-05Abuse of FunctionalityInsufficient Password RecoveryLeakage of InformationTechnologyNo
89
2005-50WHID 2005-50: XSS on Yahoo Mail<p>Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud.
</p><p>Additional information:</p>
<ul>
<li><a href="http://archives.neohapsis.com/archives/bugtraq/2005-11/0289.html">XSS on Yahoo Mail</a> [Bugtraq, Nov 23 2005]</li>
<li><a href="http://richard.computeiro.com/yahoo_bug.jpg">XSS on Yahoo Mail</a> [Bugtraq, Nov 23 2005]</li>
</ul>		28-Feb-06Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyHosting ProvidersNo
90
2005-51WHID 2005-51: Critical MySpace Vulnerabilities Leave Every Active Account Exploitable<p>An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.silent-products.com/advisory12.5.05.txt">Critical Myspace Vulnerabilities Leave Every Active Account Exploitable</a> [Silent Productions, Dec 5 2005]</li>
</ul>		28-Feb-06Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyWeb 2.0No
91
2005-53WHID 2005-53: Charity Web Site Hacked<p>A UK Church charity web site was hacked and at least 3000 credit card numbers where stolen. Credit card information is known to have been used by the hackers. While no specific details are given, the article indicates that the way site was hacked.
</p><p>Additional information:</p>
<ul>
<li><a href="http://software.silicon.com/malware/0,3800003100,39154991,00.htm">Police investigate charity credit card data hack</a> [Silicon.com, Dec 12 2005]</li>
</ul>		26-Feb-06UnknownUnknownCredit Card LeakageReligiousNo
92
2005-54WHID 2005-54: XSS vulnerability in NIST web site<p>Netcraft discovered an XSS vulnerability in NIST web site, which ironically hosts the U.S. National Vulnerability Database.

</p><p>Additional information:</p>

<ul>

<li><a href="http://news.netcraft.com/archives/2005/12/14/us_government_security_site_vulnerable_to_common_attack.html">US Government Security Site Vulnerable to Common Attack</a> [NetCraft, Dec 14 2005]</li>

</ul>		26-Feb-06Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyGovernmentNo
93
2005-55WHID 2005-55: Yahoo RSS XSS Vulnerability<p>A malicious site can offer users a malformed RSS XML file to be included Yahoo RSS aggregation that would enable stealing Yahoo cookies

</p><p>Additional information:</p>

<ul>

<li><a href="http://www.alljer.com/yahoorssxss.htm">Yahoo RSS XSS Vulnerability</a> [alljer.com, Dec 18 2005]</li>

</ul>		28-Feb-06Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlySearch EngineNo
94
2005-56WHID 2005-56: XSS vulnerabilities in Google.com<p>A redirection to an error page on Google.com includes values sent by the the user. This vulnerability allows phishers to send an e-mail with links to Google that will include their attack page.

</p><p>Additional information:</p>

<ul>

<li><a href="http://www.webappsec.org/lists/websecurity/archive/2005-12/msg00059.html">XSS vulnerabilities in Google.com</a> [Watchfire, Dec 21 2005]</li>

<li><a href="http://www.betanews.com/article/Google_CrossSite_Scripting_Flaw_Fixed/1135201187">Google Cross-Site Scripting Flaw Fixed</a> [Beta News, Dec 21 2005]</li>

<li><a href="http://news.com.com/Google+plugs+obscure+phishing+holes/2100-1002_3-6004471.html">Google plugs 'obscure' phishing holes</a> [CNet, Dec 21 2005]</li>

<li><a href="http://shiflett.org/archive/178">Google XSS Example</a> [Chris Shiflett, Dec 21 2005]</li>

<li><a href="http://shiflett.org/archive/177">Google's XSS Vulnerability</a> [Chris Shiflett, Dec 21 2005]</li>

</ul>		28-Feb-06Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlySearch EngineNo
95
2005-57WHID 2005-57: RPG site bit by hackers<p>User data stolen from an online game web site. The hacker tried to extort RPG by threatening to publish the users' data. The news item states that the hack was a result of a flaw in custom web site software.

</p><p>Additional information:</p>

<ul>

<li><a href="http://www.scmagazine.com/uk/news/article/533573/rpg-site-bit-hackers/">RPG site bit by hackers</a> [SC Mazagine, Dec 21 2005]</li>

</ul>		26-Feb-06UnknownUnknownExtortionEntertainmentNo
96
2005-58WHID 2005-58: Yahoo mail Cross Site Scripting<p>An attacker can send an e-mail with a malicious script to a victim which is perform its actions immediately when the e-mail is read.

</p><p>Additional information:</p>

<ul>

<li><a href="http://www.morx.org/yahoo-XSS.txt">Yahoo mail Cross Site Scripting</a> [Morx, Dec 22 2005]</li>

</ul>		28-Feb-06Cross-site Scripting (XSS)Improper Output HandlingDisclosure OnlyService ProvidersNo
97
2005-59WHID 2005-59: Vote Someone Else&#039;s Shares<p>Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.

</p><p>Additional information:</p>

<ul>

<li><a href="http://www.schneier.com/blog/archives/2005/11/vote_someone_el.html">Vote Someone Else's Shares</a> [Bruce Schneier, Nov 24 2005]</li>

</ul>		28-Feb-06Credential/Session PredictionInsufficient AuthorizationDisclosure OnlyFinanceNo
98
2005-6WHID 2005-6: Tampering with parameters allows access to others account data on PayMaxx Inc. site<p>Parameter tampering enabled jumping into someone else's account data on PayMaxx Inc. site
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/Payroll+site+closes+on+security+worries/2100-1029_3-5587859.html?tag=cd.hed">Payroll site closes on security worries</a> [CNet, Feb 23 2005]</li>
<li><a href="http://www.thinkcomputer.com/corporate/news/pressreleases.html?id=18">Think Finds Flaw Revealing Up To 100,000 Social Security Numbers</a> [Vulnerabiliy Publisher's Site, Feb 23 2005]</li>
</ul>		2/23/2005Credential/Session PredictionInsufficient AuthorizationLeakage of InformationFinanceNo
99
2005-60WHID 2005-60: KU shuts down housing application Web site<p>Web site used to file online for housing at KU was shutdown for lack of proper security measures to prevent visitors from viewing personal information about others

</p><p>Additional information:</p>

<ul>

<li><a href="http://www.kansascity.com/mld/kansascity/news/local/13495104.htm">KU shuts down housing application Web site</a> [Associated Press, Dec 27 2005]</li>

</ul>		26-Feb-06UnknownUnknownLeakage of InformationGovernmentNo
100
2005-61WHID 2005-61: Gmail session management bug<p>A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim.

</p><p>Additional information:</p>

<ul>

<li><a href="http://www.elhacker.net/gmailbug/english_version.htm">Gmail bug</a> [elhacker.net, Oct 18 2005]</li>

<li><a href="http://www.eweek.com/article2/0,1759,1889050,00.asp">Google Downplays Gmail Security Fix</a> [eWeek, Oct 18 2005]</li>

</ul>		12-Apr-06Credential/Session PredictionInsufficient AuthorizationDisclosure OnlyService ProvidersNo