Accounting website's security breached
A startup US accounting website has tightened its security measures after a bug expert uncovered several vulnerabilities which could leave customer details exposed.
Bug hunter Jeffrey Baker said the website of Intacct.com, which provides web-hosted accounting services to medium-sized organisations, could be compromised by a malicious intruder who could build a database of customer details.
Baker took the rare step of singling out Intacct on the Bugtraq-moderated industry mailing list last weekend for failing to live up to claims over its security. He said he felt compelled to post the advisory because Intacct failed to respond to his initial emails.
In his posting Baker claimed the site contained three vulnerabilities, covering user sign-on procedures, cross-site scripting and problems with customer log-in cookies.
Attackers could log in, view and modify victims’ accounts, budgets and other data, change passwords and deny service by modifying Intacct billing information. No action is required on the part of the victim for these attacks to succeed, Baker reported.
Officials from Intacct have since acknowledged the vulnerabilities and said the company has its tightened security measures in response to the posting.