How Poor Code Leads to Possible Identity Theft

Recently, while assessing a web application through an assessment services engagement, SPI Labs discovered a vulnerability that would allow attackers to guess the social security number of individuals if the attacker had basic information about someone. The vulnerability occurred during the action of signing up for an account. For legal reasons, the person signing up had to be of a certain age. To verify this, the application contacted a back end database that contained public information. If you gave the proper information for name and address but not for a social security number, you would get sent to another page asking you to re-enter your social security number. This meant that we had entered the correct name and address and just needed the right social security number. With this vulnerability, an attacker could keep trying new values for a social security number until getting a page that does not ask for a different social. With a hole like that, a phone book would give you all the information you need to commit identity theft! SPI Labs recommends two steps to customers to help prevent this type of attack:

• Limit the number of attempts the user is allowed to submit sensitive information. We recommend after 3 attempts, lock out the client IP from submitting information for 24 hours. 

• Display generic errors not just specific inputs. Because the application told us that only the social security number was wrong, we must have had the address correct. A more secure error message would have been “The information you provided was not correct.”