[LINK] Treasury web site

[Tony Barry]

At 10:50 AM +1000 29/6/2000, Rachel Polanskis wrote:
>Well not really, you just have to type in any number between 1 and 27000
>and you can receive the banking details of that particular business!

I assume that you could get at any registration (e.g. 1234) along the 
lines of a URL htt://TheHostName/SomePath/1234?

Also that no checking was done that you were accessing your own 
details and not somebody else's.

The ABC report which I just heard included comments of thanks from 
some of the people alerted to their details being wide open. They 
were informed by the chap who found the details via email. In fact he 
told some thousands of people whose details were xposed.

The ABC did however talk about "hacking" and that the police are 
looking to see if the Crimes Act has been breached.

My reading of it is that the site in effect published accidentally 
every bodies details and being a good citizen he warned them rather 
than telling the site so they could cover it up.

Should my supposition be true I would be aghast if he should get into 
strife rather than being commended. But then if you make the Treasury 
Department look dumb....

Oh yes - Finance were very fast to say it wasn't _their_ site. It was 
Treasury's.

Tony
-- 

phone  +61 2 6241 7659
mailto:me@Tony-Barry.emu.id.au
http://purl.oclc.org/NET/Tony.Barry