Insecure messaging at Citibank?
On Friday night, I received an instant message from a colleague of mine who wanted to share a concern he had about something he just came across while checking out his coComment notifier when he found something that was seriously out of place. I won't steal all of his thunder, as you can read all his details here, along with screens of the offending experience, but I have to add my two cents here as to what the situation added up to.
coComments, as its site describes, "keeps track of all the online conversations you're following in one convenient place, and informs you whenever something is added to a conversation." In other words, rather than having to keep going back and forth to sites you've commented on over and over again to see what's up, you can just keep checking coComments. It's kind of like a quick way to check the "where I've commented" and "where people have commented on my site" options that sites such as Flickr offer.
As for what went on here, it seems that when John, my colleague, managed to find a pretty big hole in Citibank's online security. After posting a short message asking Citi to follow up on some of his activity, while logged into the bank's site, he was able to keep an eye on others who had also used the form, and all of this is documented here, on the Web. (In case this is gone by the time you read this, I've uploaded a PDF of the file, which you can download here [277k PDF])
Given how fast the Web moves these days, irrelevant of how good security is "supposed" to be anywhere, I can see how something of this ilk could happen, based on how I believe coComments works. That being said, how many other places is this happening and people aren't aware of what they might have done? Additionally, I'm pretty disappointed in the customer service feedback that John was given when a) calling and b) emailing Citibank in this situation. It seems that the telephone representative wasn't even interested in getting enough information as far as what coComments was, and clearly no action has been taken, as I'm still viewing this hours later.
I'm placing my own call to Citibank's media relations department, and will be sending off a note to coComments as well. In the interim, it might be wise to take a look at what you might have floating around in your coComments queue, should you be a user of the service. In any case, go read what John has to say about the situation, as he's detailed it much better than my quick rundown here on OTD.
coComments, as its site describes, "keeps track of all the online conversations you're following in one convenient place, and informs you whenever something is added to a conversation." In other words, rather than having to keep going back and forth to sites you've commented on over and over again to see what's up, you can just keep checking coComments. It's kind of like a quick way to check the "where I've commented" and "where people have commented on my site" options that sites such as Flickr offer.
As for what went on here, it seems that when John, my colleague, managed to find a pretty big hole in Citibank's online security. After posting a short message asking Citi to follow up on some of his activity, while logged into the bank's site, he was able to keep an eye on others who had also used the form, and all of this is documented here, on the Web. (In case this is gone by the time you read this, I've uploaded a PDF of the file, which you can download here [277k PDF])
Given how fast the Web moves these days, irrelevant of how good security is "supposed" to be anywhere, I can see how something of this ilk could happen, based on how I believe coComments works. That being said, how many other places is this happening and people aren't aware of what they might have done? Additionally, I'm pretty disappointed in the customer service feedback that John was given when a) calling and b) emailing Citibank in this situation. It seems that the telephone representative wasn't even interested in getting enough information as far as what coComments was, and clearly no action has been taken, as I'm still viewing this hours later.
I'm placing my own call to Citibank's media relations department, and will be sending off a note to coComments as well. In the interim, it might be wise to take a look at what you might have floating around in your coComments queue, should you be a user of the service. In any case, go read what John has to say about the situation, as he's detailed it much better than my quick rundown here on OTD.
Comments
Many thanks for bringing this to our attention.
We've written it up on our site blog (http://blog.cocomment.com/2007/03/19/cocomment-security-and-privacy/) and would be happy to help anyone affected by this or a similar issue.
For safety and security, all the offending comments have been removed from coComment and we would remind users that, to be secure, they should Blacklist any sites with sensitive data.
We're also pleased to receive recommendations for sites which should be permanently blacklisted for the purposes of commenting/conversation tracking and storing.
Once again, many thanks,
Matt (coComment CEO)
Posted by: Matt Colebourne | March 19, 2007 12:51 PM