Sunday, March 30, 2008

Hacking Amtrak with Direct Object References

Via Arshan Dabirsiaghi's Blog -

I love taking the train. God, the only thing better than taking the train would be taking the train for free.

Whoops.

Thanks for the ticket, Marge Power, traveling from Alexandria, VA.

How was I able to do this? Direct object references (DOR). Laughably, ridiculously easy attacks. Is this a Diebold product? It’s no wonder that with this level of security, a 14 year old kid from Kerplakistan with a pasta drainer, wireless mouse and a shoebox was able to completely derail their trains. I’ve told my the webappsec classes that the easiest way to steal a bunch of information from a website is through direct object references. My wife could perform a DOR attack, and if you think she knows anything about security, I can just tell you she has like 5,000 Facebook applications with full privileges running.

So, let’s get to the really gory, technical details of this Mitnick like hack.

My confirmation number was 01CF01.

I typed in 01CF04.

Maybe it was by accident, Amtrak, and maybe it wasn’t. Regardless, I got Marge’s ticket offered to me. Look at the screen again. See the “Print Tickets” option? I’m sure this does happen all the time by accident. Whoever made this horribly insecure contraption knew that, too, because on the first picture, if you look closely, there’s a “Not you? Click here to try another confirmation number” button as well. You don’t need an ID to board a train, remember.

Incidentally, Marge Power is such a badass name. That’s why I didn’t get her tickets out. She sounds ripped.

No comments:

Post a Comment