OK State Leaks SSNs...
April 2008
Oklahoma State leaks tens of thousands of social security numbers. Residents of Oklahoma were told this week that tens of thousands of their names, social security numbers, and allied data were effectively available on the Web for around three years. The source of the problem, says a software security researcher with Fortify Software, is poor coding on the state’s Department of Corrections Web site. “This is a classic SQL injection vulnerability,” he said, adding that, in this case, the security lapse could easily have been caught with a simple code review. Had some form of automated analysis been part of the release procedure for this Web site, the incident could have been avoided, he said. According to newswire reports, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma DoC Web site. Then, by the simple process of amending the long URLs returned by the site, they could retrieve tens of thousands of social security numbers and their allied data from the site.
Oklahoma State leaks tens of thousands of social security numbers. Residents of Oklahoma were told this week that tens of thousands of their names, social security numbers, and allied data were effectively available on the Web for around three years. The source of the problem, says a software security researcher with Fortify Software, is poor coding on the state’s Department of Corrections Web site. “This is a classic SQL injection vulnerability,” he said, adding that, in this case, the security lapse could easily have been caught with a simple code review. Had some form of automated analysis been part of the release procedure for this Web site, the incident could have been avoided, he said. According to newswire reports, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma DoC Web site. Then, by the simple process of amending the long URLs returned by the site, they could retrieve tens of thousands of social security numbers and their allied data from the site.
posted by arkietechs at 9:58 AM
0 Comments:
Post a Comment
<< Home