 |
||
Website Risk Management |
||
|
||
|
|
|
|
|
Business Logic Flaws :: Making Millions by Trading on Class: Predictable Resource Location and Insufficient Authorization
http://website/press_release/08/29/2007/00001.html Before granting read access to the press release Web page, the back-end Business Wire system ensures the user is properly logged-in. Can you spot the security problem? An Estonian financial firm, Lohmus Haavel & Viisemann, discovered that the press release Web page URLs were named in a predictable fashion. And, while links might not yet exist because the embargo was in place, it didn’t mean a user couldn’t guess at the filename and gain access to the file. This method worked because the only security check Business Wire conducted was to ensure the user was properly logged-in, nothing more. According to the SEC, which began an investigation, Lohmus Haavel & Viisemann profited over $8 million by trading on the information they obtained*. Solution The system should ensure that press releases are only served to authorized users after the embargo date has been passed.
|
Business Logic Flaws :: Examples ::
|
|
||
|
||
|
||
|
||
Business Wire provides a service where registered website users are able to receive a steady stream of up-to-date press releases. Press releases are funneled to Business Wire by various organizations, which are sometimes embargoed temporarily because the information may affect the value of a stock. Press release files are uploaded to the Web server (Business Wire), but not linked, until the embargo is lifted. At such time, the press release Web pages are linked into the main website and users are notified with URLs similar to the following: