back to article HSBC plugs hole that exposed site directory

HSBC has finally fixed a bug that allowed web surfers to browse the directory structure of a supposedly secure website it helps to run. The John Lewis Partnership card secure website (a joint venture with HSBC) allowed the curious, and potentially malicious, to peek into its underlying structure. "Great if you were planning a …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Unauthorised usage..

    so does this explain the unauthorised usages on the missuss credit card then?

    No, this time its not a joke!! any other JLP card holders had similar?

  2. Tom Chiverton
    Boffin

    Err...

    "Great if you were planning a phishing attack and wanted to get a complete site layout and set of assets"

    wget ?

  3. Anonymous Coward
    Anonymous Coward

    Sorry, where's the security problem?

    I'm somewhat confused. Why would `leaking' the directory structure of your site be considered a security flaw? As an analogy, one would never consider `leaking' the layout of a building as a security risk*.

    * Unless you are the developer of Terminal 5 and for some reason believe this information is top secret... Possibly under the assumption that no one will ever walk around the building....

  4. Mr Smin

    building

    leaking the layout of a building may be an asset to burglars.

  5. Pink Duck
    Alert

    Live SQL Injection

    http://www.hbeu1.hsbc.com/ukservices/branchlocator/town.asp?town=0%20OR%201=1&type=

    Need I say any more?

  6. Anonymous Coward
    Thumb Up

    @Mr Smin

    Yes indeed, but it is security by obscurity, which we know does not work.

  7. Anonymous Coward
    Anonymous Coward

    @Pink Duck

    I'm interested if you can change some details....

  8. Dennis
    Boffin

    Re: Sorry, where's the security problem?

    (1) Access to directory listings of the web site can reveal pages that are not linked in. Perhaps the document with the turnover figures that will be released at noon. Perhaps ini files or server side include files with configuration or authorisation details.

    (2) Access to directory listings shows that their system build, configuration and testing process is flawed. If they missed and obvious thing like directory listing what else did they miss.

  9. frymaster

    @AC re:security by obscurity

    depends on your definition of "work". It means any flaws are hard to find. This is a good thing. It gives you more time to find and fix flaws, and means some flaws might never be discovered by baddies at all.

    What it is NOT is a substiture for fixing and finding flaws. It's a barrier that will keep out rifraff and cause more determined attackers to take more time and possibly be more noticable. These are all good things.

    The "security by obscurity" mantra only really applies where people use attempted obfuscation INSTEAD of other methods. and in some fields (cryptography) it is much more beneficial to expose your alogrithm to scrutiny to hammer out the bugs - but you still hide your key, don't you? ;)

This topic is closed for new posts.