Fidelity Boo Boo



  • I placed a couple of trades in my brokerage account, and then printed out the orders-summary page. At the bottom, where it prints the url, we get:

    You'd think they would know better.

     



  • Plz give me ur SSN and PIN so I can see the wtf  and also deposit $10k in your accounts



  •  I get taken to a login page no matter what account # I enter.  So it looks to be secured.  If you're logged in can you see any account or just your own?  If you can't, then I don't see the WTF.



  • If you're logged in, you don't get redirected to the login page



  • @snoofle said:

    If you're logged in, you don't get redirected to the login page

    So you can enter any account number and see the results?  Have you tried guessing other account numbers? 



  • @morbiuswilters said:

    @snoofle said:

    If you're logged in, you don't get redirected to the login page

    So you can enter any account number and see the results?  Have you tried guessing other account numbers? 

    I wonder if this will end up with someone "accidently" transfering money between accounts.  Kinda like when someone dropped that city's table and had to try and restore it.

     

    By the way Morbius.  all I can say about about your sig is WTF!!!!



  • @galgorah said:

    By the way Morbius.  all I can say about about your sig is WTF!!!!

    IRC iz fun



  • @morbiuswilters said:

    @snoofle said:

    If you're logged in, you don't get redirected to the login page

    ... Have you tried guessing other account numbers? 

    That's the kind of thing that, if tracked back to me, can get me blackballed from my industry for life, so I've forced myself to not try it.



  • @snoofle said:

    That's the kind of thing that, if tracked back to me, can get me blackballed from my industry for life, so I've forced myself to not try it.

    Then, uh, how do you know there's any security problem at all?  If you don't know whether you can access other user's accounts, then you can't claim a WTF. 



  • @morbiuswilters said:

    Then, uh, how do you know there's any security problem at all?  If you don't know whether you can access other user's accounts, then you can't claim a WTF. 

     <hints id="hah_hints"></hints>
    I'd have to agree.  I know there are a few pages in our web app that use query strings in order to transfer a small amount of data to an external page.  As long as it's not sensitive data like a password, and as long as the parameter is validated on the target page like anything else, what's the problem?

    Sometimes you can't fire a server-side event, you can only provide an HREF, so the only thing you can do is stick a query string on it.  It doesn't happen often but it does happen, often when using 3rd-party components or when trying to implement SSO.



  • @snoofle said:

    I placed a couple of trades in my brokerage account, and then printed out the orders-summary page. At the bottom, where it prints the url, we get:

    You'd think they would know better.

    Huh?  I'm not sure what you think's gonna happen here.

    @snoofle said:

    https://...

    Of course, it's up to you to secure your own printer... 


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.