If you’re taking an exam to test your skills as an Internet security professional, do you get extra credit for schooling the organization that hosts the test? If that organization is the International Information Systems Security Certification Consortium (ISC)² — the non-profit that administers the Certified Information Systems Security Professional (CISSP) exam — the answer is “no,” but you might get a nice ‘thank you’ from the head of the organization.
Last month, I heard from Alex Holden, a security consultant who is quite gifted at quickly identifying security holes in Internet-facing things. Holden was visiting the site to pay his annual CISSP membership dues, and was getting ready to fork over the $85 annual fee when he noticed a glaring weakness in the organization’s checkout page: The URL listed all of his registration information in plaintext.
The site hadn’t yet requested his credit card, but Holden found that he could skip the payment process merely by changing the $85 amount in the URL produced by the checkout page to a negative number. Clicking submit after that change was made produced an email congratulating him on his successful renewal.
Holden said he was surprised to find that a security organization like ISC2 would fail to take the basic precaution of encrypting all form data submitted on its site. He noted that, while he didn’t attempt further tests, the same method likely would have worked to check out without paying for other items on (ISC)²’s site, including (ISC)² conference registrations and the CISSP exam, which (ISC)² exclusively administers.
“My personal habit, anytime I submit an electronic payment, is to look at the URL to see if it is HTTPS and on a site that I expect to be (vs fake sites),” Holden said, explaining how he discovered the embarrassing bug.
(ISC)² Executive Director W. Hord Tipton said the vulnerability Holden reported also was discovered internally in the organization’s annual penetration tests, but that the bug was erroneously flagged as ‘non-exploitable.’
In any case, although some 2,000 security professionals register with the site to take the CISSP exam each month, (ISC)² found no indications that anyone else had previously exploited this weakness to avoid paying for the organization’s events or certifications. (ISC)² thanked Holden for reporting the bug, and noted that the URL at checkout is now using encrypted values instead of plain text.
“We’re a highly security-conscious outfit, but sometimes we aren’t as secure as we ought to be,” Tipton said.