Re #OptusHack: as a software engineer, it frustrates me the media is reporting it as a sophisticated attack. It was not. It was equivalent to leaving your front door unlocked with a sign that says valuables inside. They failed at really basic stuff. I'll explain it simply. 1/6
Servers typically use an "API" to load data and add functionality to the user interface. When you login, tap on a like button, try to load your profile page etc. the app or web browser sends a request to an API to complete that action or retrieve that data. 2/6
Any API that exposes personal information should be protected behind authentication (like a username & password). In the case of the #optushack, it has been reported that one of their APIs that could retrieve personal information DID NOT REQUIRE any authentication whatsoever. 3/6
This was bad enough, but the attacker also claimed the API used an incrementing user ID. So this means the attacker could ask the API "give me the personal information for user 1, 2, 3, 4..." and repeat this over and over, incrementing the number each time. 4/6
These things are taught in beginner programming classes. It is frankly, unacceptable for a large company like Optus to have these sorts of problems in their public facing systems. Millions of Australians (myself included) are now at risk of identity theft, fraud etc. 5/6
Millions of people now have to spend time to mitigate these risks like submitting credit report bans, changing driver license numbers, securing accounts, etc. @Optus can and must be held responsible - and made to pay for their carelessness. 6/6
• • •
Missing some Tweet in this thread? You can try to
force a refresh
