Tuesday, February 10, 2009

Threat Classification v2 on Logic Flaws

MANICODE would like to say thank you to guest blogger Bil Corry who wrote this excellent section for the upcoming "Threat Classification v2 on Logic Flaws". I found his inclusion of recent real world examples to be fascinating!

Threat Classification v2 on Logic Flaws - Real World Examples
By Bil Corry

* Yahoo had a promotional offer where if you deposited USD $30 into an advertising account, Yahoo would then add an additional USD $50 to that account. The sign-up process was able to be circumvented in such a way that failing to deposit the requisite USD $30 still allowed the additional USD $50 to be credited to the account.

Yahoo SEM Logic Flaw

* Tower Records' form validation assumed that the user would fill out a form in the order presented, but in reality, some users filled out the bottom portion first, causing a bug that wasn't caught during development and resulted in the loss of sales.

Tower Records Tunes Its Site

* YouTube restricts some videos to users that are 18-years-old and older on their site. However, if the same video is embedded in another site, then the process that filters the videos is bypassed, allowing anyone of any age to view the video.

Youtube’s 18+ Filters Don’t Work

* Facebook restricts access to private user pages, but there have been incidences where an attacker can replace the user ID in the URL with a victim ID, thereby circumventing the security measures. Two examples include accessing private photos and accessing private fan pages.

Peekaboo! Facebook fills photo security hole

Hole unveils Facebook fan pages

* E-trade and Schwab failed to limit one bank account to any given user, allowing an attacker to assign the same bank account to tens of thousands of users, resulting in a loss of USD $50,000.00.

1 comment:

jwilliams said...

These are all interesting, but most are just missing or broken security controls. Just because you can't scan for a vulnerability doesn't mean it's a "business logic" flaw. They're still just issues with input validation, access control, authentication, error handling, etc... If you can name the security control that would solve the problem, it's not a business logic problem. We should reserve this term for business process problems codified in software.