Cahoot took the site down for 10 hours while it fixed the flaw, according to a representative for Abbey, Cahoot's parent financial institution. The problem was likely the result of an upgrade 12 days ago. During the outage, the previous system was put in place, independently tested by Qinetiq and found to prevent the breach--indicating it was the systems upgrade that was responsible.
The vulnerability was discovered by a customer who had bookmarked areas of his online bank account, Abbey said. The customer was then able to access those areas on future visits to the site without entering anything other than a user name.
When the customer began tinkering with the site, he noticed he was also able to access other customers' accounts simply by guessing user names and then moving to a bookmarked page.
The process of guessing user names is far from rocket science, given the likelihood of there being a number of variations on popular names such as John Smith or Jill Brown.
Security consultant Neil Barrett said that he had witnessed a number of tests of this method in a controlled environment. He confirmed that a common name, entered in the last name-first initial format, had yielded instant access to one account. Barrett also said he was shocked at how easy it was.
He added: "I think the ease with which it was possible to access these accounts may have been Cahoot's saving grace. It was so very simple, it is likely it fell below the radar of the hackers."
It's not uncommon for wannabe hackers to surf secure Web sites where they remove and replace parts of the URLs to try to gain access to accounts. Barrett said there was no specialist knowledge required in the Cahoot instance.
However, the Abbey representative said that the customer who discovered the flaw has been in touch regularly with the bank in the past "raising various security issues, all of which have been answered to his satisfaction."
Barrett believes Cahoot may not be only bank affected. He warned other financial institutions that have adopted the same system could "be open to the same level of exposure."
Will Sturgeon of Silicon.com reported from London.
