A UK child care voucher scheme has been taken off line after user Nick Gibbins found that the “web” application was exposing personal data for over one hundred thousand users. Gibbins found that the Busy Bees childcare voucher system was actually implemented using Citrix Metaframe, exporting the user interface from a Windows 2000 application to the desktop, by means of a Java plug-in on the web page.
On further examination, Gibbins then found, by clicking on an empty area of the application display, that a menu popped up which gave access to the data in the database. Gibbins was able to search on terms like ‘sort code’,’account number’,’BACS reference’ and ‘address’. Even worse, selecting any part of the search results form and pressing return opened a Windows 2000 file open dialogue, which gave access to any files on the Windows 2000 system. Gibbin says that he found the email addresses of every Busy Bees customer, payment logs and service logs with NI numbers, all without opening any DB files.
Read more on Heise Online
Thanks to Brian Honan for sending this link.