That's worse than SQL injection. Didn't they build ACL? | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		narad on June 15, 2011 \| parent \| context \| favorite \| on: How Hackers Stole 200,000 Citi Accounts Just By Ch... That's worse than SQL injection. Didn't they build ACL?

romaniv on June 15, 2011 [–]

ACL is probably part of the problem here. Most ACLs are very inflexible and are "opt in". They probably had ACL to block unregistered user from visiting the page, but it didn't deal with individual accounts.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact