Fidelity Boo Boo
-
I placed a couple of trades in my brokerage account, and then printed out the orders-summary page. At the bottom, where it prints the url, we get:
You'd think they would know better.
-
Plz give me ur SSN and PIN so I can see the wtf and also deposit $10k in your accounts
-
I get taken to a login page no matter what account # I enter. So it looks to be secured. If you're logged in can you see any account or just your own? If you can't, then I don't see the WTF.
-
If you're logged in, you don't get redirected to the login page
-
@snoofle said:
If you're logged in, you don't get redirected to the login page
So you can enter any account number and see the results? Have you tried guessing other account numbers?
-
@morbiuswilters said:
I wonder if this will end up with someone "accidently" transfering money between accounts. Kinda like when someone dropped that city's table and had to try and restore it.@snoofle said:
If you're logged in, you don't get redirected to the login page
So you can enter any account number and see the results? Have you tried guessing other account numbers?
By the way Morbius. all I can say about about your sig is WTF!!!!
-
-
@morbiuswilters said:
@snoofle said:
If you're logged in, you don't get redirected to the login page
... Have you tried guessing other account numbers?
That's the kind of thing that, if tracked back to me, can get me blackballed from my industry for life, so I've forced myself to not try it.
-
@snoofle said:
That's the kind of thing that, if tracked back to me, can get me blackballed from my industry for life, so I've forced myself to not try it.
Then, uh, how do you know there's any security problem at all? If you don't know whether you can access other user's accounts, then you can't claim a WTF.
-
@morbiuswilters said:
<hints id="hah_hints"></hints>Then, uh, how do you know there's any security problem at all? If you don't know whether you can access other user's accounts, then you can't claim a WTF.
I'd have to agree. I know there are a few pages in our web app that use query strings in order to transfer a small amount of data to an external page. As long as it's not sensitive data like a password, and as long as the parameter is validated on the target page like anything else, what's the problem?Sometimes you can't fire a server-side event, you can only provide an HREF, so the only thing you can do is stick a query string on it. It doesn't happen often but it does happen, often when using 3rd-party components or when trying to implement SSO.
-
@snoofle said:
Huh? I'm not sure what you think's gonna happen here.I placed a couple of trades in my brokerage account, and then printed out the orders-summary page. At the bottom, where it prints the url, we get:
You'd think they would know better.
@snoofle said:
Of course, it's up to you to secure your own printer...