A flaw in the web platform of Fiserv Inc., a technology services provider for financial institutions, reportedly exposed personal and financial account information on hundreds of bank websites. The vulnerability was discovered within its one-way messaging feature.
Commenting on the news is Javvad Malik, security advocate at AlienVault:
This appears to be the case of oversight in the application development and testing phase. Being able to change a value in the URL to gain access to other accounts is a well-documented security flaw that should be avoided. Knowing of this vulnerability, it would have been trivial for an attacker to write a script that would automatically change the URL and harvest many customers details.
It goes to highlight that small errors can slip through, even for large companies that are well-versed in security. It’s good to see Fiserv was able to respond and create patch in a timely manner.