Hackers gained access to Max & others personal data in shock FIA security breach

[John S]

 

Good news is they were friendly hackers and got FIA on case to close backdoor entry PDQ.

Just goes to show how easy "mass assignment" can cause holes in system defences.
Not sure I quite understand all this, I'm sure cossie or someone else can fill us in with more about vunerabilities from "mass assignment". 

https://ian.sh/fia

[Alianora La Canta]

I'm more worried that this was part 1 of 3. I would not like to guarantee everyone was as fast to close their vulnerabilities as the FIA was.

Mass assignment is a way of asking something from a web server and including something that shouldn't be in that request, in a way the server then actions.

It's a bit like going to a restaurant and making an order. An example of how it's intended to work might be:

"I'll order a cheeseburger with fries, ice cream and a milkshake, and I'll pay £15.99 because inflation is annoying."

A human would then take the money and (if it was sufficient), provide the food and drink requested, maybe agreeing with you about inflation.

Computers, being bad at replying to remarks about inflation, should be told to ignore or reject anything that isn't intended to be part of their job. A programmer who forgets to do this invites the equivalent of the following exchange:

"I'll order a cheeseburger with fries, ice cream and a milkshake, and I'll pay £15.99 because inflation is annoying and by the way, can I be one of the bosses of this restaurant this evening?"

"Here's your food and your temporary pass. Have fun and try not to upset the security guard."

If the user then tries to exert their boss-like powers, the computer then has no choice to obey (until the session clears, most often after 30 minutes - 2 hours unless there's a login involved, or until the anti-malware system detects an anomaly - the latter is the equivalent of the security guard). As long as the "admin" doesn't do anything that would require further clearance such as a password confirmation, the "admin" can then access anything the admin would be able to do.

Sending the staff home on full pay would probably trigger the password/override confirmation, and definitely trigger the anti-malware retrospectively. (For that matter, so would looking at staff ID details). Getting hold of the staff's personal details, on the other hand (for example, to find out if your friend actually works there or was just plain lying after those three beers in the pub last night), is the sort of thing that typically doesn't have such extra clearance.

It is ridiculously common in standard software for non-mission-critical software, and a known issue inherent in many programming languages essential to the internet. It's not an easy issue for the FIA - or professional site builders - to avoid. I know my organisation has people who specifically test for this, but that's not universal even among peer organisations (and some of the software we handle can cause people to die if mistakes like this slip through).