Fiserv, which provides financial technology for banks and other financial institutions, said it has fixed a weakness in a web platform. Brian Krebs wrote that the flaw in a Fiserv web platform, which some banks and credit unions use to operate online accounts, exposed some personal and financial details of customers.
Commenting on this, Adam Brown, manager of security solutions at Synopsys, said “While ultimately responsible for the software flaw that has allowed this vulnerability to surface across multiple financial institutions, what’s more alarming than Fiserv’s shortcomings in design is that this has not been unearthed by any of their customers. What happened to the basic activity of penetration testing? This is a super trivial flaw to identify and even the most junior web application penetration tester should be find it.
To avoid this kind of issue Fiserv would have had to go back to their design. Web applications should never allow users to access objects or controls directly. Indirect object reference maps should be used. That knowledge would be part of basic security training all software engineers should go through.
Fiserv may have some angry corporate customers, but ultimately the risk lies with those very organisations as the controllers of their own and their customer’s data. That said, it’s likely that Fiserv, as data processors, will also be held to account by privacy watchdogs.”