Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
If organisations rely on secret passwords to secure customer’s information, they need to ensure they are near-on impossible to guess. In the story Ali Baba and the Forty Thieves, Ali overhears the secret password “open sesame!” outside a cave of wonders and after repeating it, gains access to a treasure trove. Secrets, like security measures, only protect people if no one overhears or guesses them.
On the internet, secret codes or numbers are commonly used by organisations to allow only certain people to access particular information. Sometimes, for example, organisations will email customers a personalised unique web address (a URL) so that they can, for example, check their account, or the progress of a parcel that is being sent to them. If an obvious number sequence is used in URLs then people may easily guess how to access another person’s information just by looking at the URL they were given. A URL of this type might look like:
https://www.carelesscouriers.co.nz/packagetracking?packagenumber=123456
If a customer was to simply change the package number at the end of the web address, they could potentially see information about a different delivery.
This is poor security practice and can expose people’s personal information. It is a simple way of giving customers access but it is also unforgivable as it has long been understood to be an unnecessary, bad practice. For an example of why this can matter, see here.
Providing easy access for customers to their information can be achieved, by using randomly generated numbers as the unique part of the web-address (URL) instead of their customer number or transaction number. Organisations should remember to shut down access to this information as soon as is reasonable after it is no longer required.
Additional technical information
If the access is to an account, rather than to a temporary single transaction, you should always consider using two-factor authentication as recommended by CERT NZ. See here for more information.
For more information about capability URLs there is a technical discussion here.
For more technical detail on the problem, see the OWASP Top 10 (i.e. the 10 most important things to do to secure your website) advice here.
Back