Oklahoma State leaks tens of thousands of social security numbers
Residents of Oklahoma State have reportedly been hit this week with the bad news that tens of thousands of their names, social security numbers and allied data were effectively available on the Web for around three years.
The source of the problem, says Fredrick Lee, a software security researcher with Fortify Software, the application vulnerability specialists is poor coding on the state's Department of Corrections Web site.
"This is a classic SQL injection vulnerability," he said, adding that, in this case, the security lapse could easily have been caught with a simple code review.
According to Lee, had some form of automated analysis been part of the release procedure for this Web site, the incident could have been avoided.
"The sad thing is that vulnerabilities like these indicate to attackers that other related applications and organizations are probably vulnerable as well," he said.
According to newswire reports, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma DoC Web site.
Then, by the simple process of amending the long URLs returned by the site, they could retrieve tens of thousands of social security numbers and their allied data from the site.
Tags:
Government,
ID Management,
ID cards,
ID theft,
Legal rights/wrongs
The source of the problem, says Fredrick Lee, a software security researcher with Fortify Software, the application vulnerability specialists is poor coding on the state's Department of Corrections Web site.
"This is a classic SQL injection vulnerability," he said, adding that, in this case, the security lapse could easily have been caught with a simple code review.
According to Lee, had some form of automated analysis been part of the release procedure for this Web site, the incident could have been avoided.
"The sad thing is that vulnerabilities like these indicate to attackers that other related applications and organizations are probably vulnerable as well," he said.
According to newswire reports, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma DoC Web site.
Article continues after advert
Add Your Comment
Follow on Twitter
More Articles
News
Hot Topics
Office Web
Office web is the latest addition to Microsoft's Office business suite and is set to be the company's most revolutionary version.
Office 2010
Microsoft's 14th version of its award winning, multi-billion dollar cash cow business suite, is the company's most ambitious to date.
Spotify
Spotify is certainly one of the most popular online music websites in the world which is a feat for a service that was officially launched only in February 2009
ITProPortal.com - Sponsored Section
Featured Content
- The New Voice of the CIO. 158 CIOs in midsized businesses across 31 countries reveal their insights and vision for enhancing
competitiveness over the next five years.
Download Document
Customer Case Studies
- How a wine wholesaler improved the flow of information
Download full case study
- The server that made an entire university smarter
Download full case study
Videos
Latest Tweets
Comments