Wednesday, 18 April 2012

Toshiba UK, ICO and OWASP Top 10 A4 error

The UK Information Commissioner's Office (ICO) has ruled that Toshiba UK breached the UK Data Protection Act by publishing the personal details of 20 competition entrants on its website. According to The Register:
  • "A security fault with the incremental numbering of the competition entrants registration URL created the potential for access to other customers' personal data for a two-month period," the regulator said.
By changing the values in the URL, it was possible to see the details of other users. It looks like this was an OWASP Top 10 2010-A4-"Insecure Direct Object References" issue.

When designing your own application you need to perform authorization checks to ensure that the user has permission to access the requested resource. The OWASP Top 10 gives more guidance on how to implement this.

It's surprising how few of the ICO undertakings are related to web site issues. You can look at the ICO's "Taking Action" page to get a feel for what type of issues cause problems.

Useful Links on this blog:
Useful Links:

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

No comments:

Post a comment