Lost: Juicy Identity Theft Story

I saw a news story posted somewhere in the last month (let’s just say sometime in 2005 to be safe) about a guy who discovered a security vulnerability in a Web site somewhere that basically worked like this:

  1. Go to site.
  2. Notice unique ID in URL.
  3. Increment by one.
  4. Read other people’s data.

Anyone remember what I’m talking about or have a link to a news item? I’ve spent the last four hours trying everything I can on Slashdot, Google, Google News, The Register, the NYT (which is where I think I read it), etc., and I’ve had no luck so far.

It’s not the Harvard MBA story. That only involved people seeing their own data. And I’m pretty sure it’s not the Johns Hopkins J-CARD story I linked to back in early February.

Thanks a bunch if anyone finds it and posts it here.

posted by Chris on 12 March 2005 at 0029 in sci-tech

Trackbacks

TrackBack URL for this entry:
http://chrislawson.net/blog/t.pl/429
 

Comment by Heatsink

I remember that article too. It wasn’t that long ago, but like you I’ll be damned if I can find it.

I did run across this interesting PDF about brute force hacking PHP session IDs, but that’s about it:

http://www.cgisecurity.com/lib/SessionIDs.pdf.

The only other thing I can suggest is that if it was on Boing Boing or Slashdot, you can run some pretty advanced searches on my echoes (http://theheatinkbbs.ca/echoes) - no ‘www’ this time. I’ve been collecting Boing Boing and Slashdot’s RSS feeds for about 6 months now and all their entries should be in there somewhere.

I tried searching the echoes, but to no avail. You may remember more about the article than I do however and therefore may have better luck.

posted at 0029 on 12 March 2005

Post a Comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?