[LINK] Treasury web site
Thu, 29 Jun 2000 20:40:05 +1000
At 10:50 AM +1000 29/6/2000, Rachel Polanskis wrote:
>Well not really, you just have to type in any number between 1 and 27000
>and you can receive the banking details of that particular business!
I assume that you could get at any registration (e.g. 1234) along the
lines of a URL htt://TheHostName/SomePath/1234?
Also that no checking was done that you were accessing your own
details and not somebody else's.
The ABC report which I just heard included comments of thanks from
some of the people alerted to their details being wide open. They
were informed by the chap who found the details via email. In fact he
told some thousands of people whose details were xposed.
The ABC did however talk about "hacking" and that the police are
looking to see if the Crimes Act has been breached.
My reading of it is that the site in effect published accidentally
every bodies details and being a good citizen he warned them rather
than telling the site so they could cover it up.
Should my supposition be true I would be aghast if he should get into
strife rather than being commended. But then if you make the Treasury
Department look dumb....
Oh yes - Finance were very fast to say it wasn't _their_ site. It was
phone +61 2 6241 7659