Norwegian tabloid Dagbladet revealed yesterday that several commercial and non-commercial sites can be exploited to perform identity theft.
In Norway, all persons get assigned a unique number (‘fødselsnummer in Norwegian), similar to the US Social Security Number. Altough law restrictions apply, several sites use this number for uniquely identifying a person.
In this particular case, a hacker created a tool that could reveal identity information by collecting information from several sites, including the following steps:
- Generate a random identifier. The format and the algorithm for creating one is publicly known.
- Use site 1 to test whether the generated identifier is in use. This is possible because site 1 uses the number as user name. The logon procedure acts differently depending on whether the user name exists.
- Use site 2 to get personal details about the person to which the generated identifier belongs. (Surname, given name, address)
This is of course possible because the sites are designed poorly and leak information (OWASP Top Ten vulnerability #6). Second mistake is that site number two use the unique number for authentication.