Briefs

ZDnet, January 29, 2008, by Richard Stiennon

Here is a beautiful example of poking around inside an application to gather what otherwise would be proprietary data. John Graham-Cumming has hacked the social book marking application Digg to discover how many registered users they have.

(The answer: about 2.7 million; another interesting finding: the number of spammer/abuser accounts banned by Digg: about 500k or around 19% or registered users.).

He noticed that inside the html code associated with each user was the date they signed up and a unique user ID that he pretty convincingly argues is sequential and relates to the number of users at that date. Clever. And, potentially very damaging to the owners of Digg who may be involved in valuation exercises with potential investors and may have other ways of telling their story. In other words, through an oversight they have have left themselves vulnerable to a hacker who revealed confidential information.

Lesson learned: Question every sequential assigning of user ID�s whether they are exposed or not. It costs nothing at the begining to code up a simple hash algorithm to obfuscate sequential data.

Read more.