Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Privacy concerns

  • 24-08-2010 3:19pm
    #1
    Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭


    I was recently checking my usage information for my ISP and while doing so inadvertantly discovered a bug on their site that allows access to any customer by guessing the customer ID. Upon doing this you can access all customer phone records + other sensitive information. It even allowing modification of account details.

    Just wondering who to contact. I don't want to be accused of hacking because this was simply a typo that made the difference... Would it be better contacting data protection?


Comments

  • Registered Users, Registered Users 2 Posts: 5,967 ✭✭✭JDxtra


    Let the company know in writing (email is fine). Then, if they don't fix it fairly sharpish consider reporting it to the Data Protection Commissioner and maybe even the press.

    I'm tired of big organisations having poor security around personal customer data and there is simply no excuse for it these days.


  • Registered Users, Registered Users 2 Posts: 2,534 ✭✭✭FruitLover


    I wouldn't pussy-foot around - bear in mind that you are a potential victim here. I'd let the ISP know in no uncertain terms my dissatisfaction in their (lack of) security here, and intent to inform the public (not just the DPC) if this product of laziness isn't corrected post haste.


  • Moderators, Category Moderators, Science, Health & Environment Moderators, Society & Culture Moderators Posts: 47,532 CMod ✭✭✭✭Black Swan


    It's an ISP zero day, so move quickly, as everyone is vulnerable.


  • Closed Accounts Posts: 325 ✭✭hello932


    Xcellor wrote: »
    I was recently checking my usage information for my ISP and while doing so inadvertantly discovered a bug on their site that allows access to any customer by guessing the customer ID. Upon doing this you can access all customer phone records + other sensitive information. It even allowing modification of account details.

    Just wondering who to contact. I don't want to be accused of hacking because this was simply a typo that made the difference... Would it be better contacting data protection?

    Can you elaborate on this? Cos it sounds like you would have to brute force dictionary attack the user accounts passwords first before getting access.


  • Registered Users, Registered Users 2 Posts: 3,503 ✭✭✭thefinalstage


    Xcellor wrote: »
    I was recently checking my usage information for my ISP and while doing so inadvertantly discovered a bug on their site that allows access to any customer by guessing the customer ID. Upon doing this you can access all customer phone records + other sensitive information. It even allowing modification of account details.

    Just wondering who to contact. I don't want to be accused of hacking because this was simply a typo that made the difference... Would it be better contacting data protection?

    This is a very serious security hole. Inform the ISP immediately. If nothing is done within 7 days contact the data protection commission.

    There are 2 schools of thought on releasing this info to the public.

    1. If it is made public there will be a lot of pressure on the isp to sort it out.

    2. if it is made public it puts people at a much higher risk of it occuring.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 5,566 ✭✭✭Gillo


    This is a very serious security hole. Inform the ISP immediately. If nothing is done within 7 days contact the data protection commission.

    There are 2 schools of thought on releasing this info to the public.

    1. If it is made public there will be a lot of pressure on the isp to sort it out.

    2. if it is made public it puts people at a much higher risk of it occuring.

    If nothing else it'd be reckless to release the information, contact both the ISP and data protection commisooner. Bare in mind that while you may have accidentally come across this knowingly using it to access other peoples information would be a very serious offence.


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Gillo wrote: »
    If nothing else it'd be reckless to release the information, contact both the ISP and data protection commisooner. Bare in mind that while you may have accidentally come across this knowingly using it to access other peoples information would be a very serious offence.

    Yep I will contact ISP. It seems the problem is worse than I though, you dont need to log in i.e. any person who gets the link can access details.


  • Registered Users, Registered Users 2 Posts: 12,804 ✭✭✭✭Exclamation Marc


    This is a very serious security hole. Inform the ISP immediately. If nothing is done within 7 days contact the data protection commission.

    There are 2 schools of thought on releasing this info to the public.

    1. If it is made public there will be a lot of pressure on the isp to sort it out.

    2. if it is made public it puts people at a much higher risk of it occuring.

    I agree with this, but I wouldnt wait 7 days, I'd more so wait 2 days considering how sensitive the information has been implied to be.

    To be honest, I'd go straight to the Data Protection Commissioner, as the customers have a right to know, and you never know, the company you are dealing with might try to sweep it under the carpet.


  • Registered Users, Registered Users 2 Posts: 3,357 ✭✭✭snappieT


    I noticed something very similar last year for PAC (the postgraduate version of CAO), where you could see everyones's personal details and accept/reject offers for course they had applied to.

    Contacted the Data Protection Commissioner straight away, they got in touch with PAC and it was fixed within 2 days.


  • Registered Users, Registered Users 2 Posts: 174 ✭✭El Camino


    Xcellor wrote: »
    Yep I will contact ISP. It seems the problem is worse than I though, you dont need to log in i.e. any person who gets the link can access details.

    Well have you had any response on this one yet from the ISP?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    The issue was dealt with prompt enough. The next day. Not really happy with this response though.

    "Hi X,



    Many thanks for sharing this information and I appreciate your concerns.



    We have been making a large number of changes to our site over the last few months due to changes in banking procedures



    We are also on the verge of launching a brand new site based on more stable and proven technology



    The glitch you have identified was due to security measures being disabled for testing purposes on the statement page and a delay in re enabling these security measures. This was amended this morning and I would appreciate your feedback that this is now resolved.



    Regards
    ISP management"


    They disable security measures on live customer databases and then to make it worse leave the security off... I replied back expressing my shock at such a practice, never got a reply back (5 days ago.). The actual bug has been present for over a month at least I noticed the issue ages ago but thought it was just random values I was getting, wasn't until I was in the account details that I saw other persons name.

    Anyway the issue is resolved now. It really doesn't seem that they took it that seriously unfortunately...

    X


  • Registered Users, Registered Users 2 Posts: 37,316 ✭✭✭✭the_syco


    Xcellor wrote: »
    Anyway the issue is resolved now. It really doesn't seem that they took it that seriously unfortunately...

    X
    Hrm. Let it slip to the broadsheets?


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    It would be quite in order to say who it was IF they have fixed it, their other customers have a right to know that their data could have been accessed too.

    There have been no 'banking changes' this year , you were simply fed a load of BS there by some CS manager type.


Advertisement