Thousands of SSNs exposed by programmer error

posted on Fri, Feb 25 2005 4:49 pm by Matt Gray

About Matt
Matt is Clockwork's Technology Director. He has been with Clockwork for over eight years, starting as a software engineer out of the University of Minnesota. He is enthusiastic about using technology to solve problems.
More About Matt | Follow Matt on Twitter

Think Computer just released an article describing a major software flaw that possibly exposed thousands of social security numbers. A full paper on the matter is also available.

Essentially, PayMaxx, an online payroll services company, neglected to fully secure their W-2 generation program. Anyone with minimal access to their system could examine the HTML and change and ID number in one of the links. However, the system does not check if the logged in user is authorized to view that ID's W-2—in fact, all W-2s are accessible, containing SSNs, gross salary information, home address, and more. Since the IDs in question are sequential, it is a trivial matter to scan through them all and harvest vital information about thousands of people. How could something like this happen?

Programmer error. The biggest danger for a software development company is the assumption that "someone else will catch it." Laziness, lack of process, gaps in the test plan—each one is a possible explanation. None of these excuses will assuage the fears of PayMaxx's clients.

Good code takes longer to produce, but it is worth it.

Via Slashdot Article, "100,000 More Social Security Numbers Exposed"

blog comments powered by Disqus