Bug hunter Jeffrey Baker said the website of Intacct.com, which provides web-hosted accounting services to medium-sized organisations, could be compromised by a malicious intruder who could build a database of customer details.
Baker took the rare step of singling out Intacct on the Bugtraq-moderated industry mailing list last weekend for failing to live up to claims over its security. He said he felt compelled to post the advisory because Intacct failed to respond to his initial emails.
In his posting Baker claimed the site contained three vulnerabilities, covering user sign-on procedures, cross-site scripting and problems with customer log-in cookies.
Attackers could log in, view and modify victims’ accounts, budgets and other data, change passwords and deny service by modifying Intacct billing information. No action is required on the part of the victim for these attacks to succeed, Baker reported.
Officials from Intacct have since acknowledged the vulnerabilities and said the company has its tightened security measures in response to the posting.
If businesses do not take cyber security seriously in their business planning regulators may do it for them, the ICAEW has warned
The Financial Reporting Council has issued guidance regarding the annual reporting of 1,200 large and smaller listed companies. The letter highlighted the key issues and improvements that can be made in the 2016 reporting season
Deloitte's north-west Europe foray; BDO, Smith & Williamson investment paths; Shelley Stock Hutter; and Wilkins Kennedy discussed by editor Kevin Reed on our Friday Afternoon Live broadcast
Company bosses are considering relocating operations or headquarters away from the UK following the country's decision to leave the European Union