If you’re taking an exam to test your skills as an Internet security professional, do you get extra credit for schooling the organization that hosts the test? If that organization is the International Information Systems Security Certification Consortium (ISC)² — the non-profit that administers the Certified Information Systems Security Professional (CISSP) exam — the answer is “no,” but you might get a nice ‘thank you’ from the head of the organization.
Last month, I heard from Alex Holden, a security consultant who is quite gifted at quickly identifying security holes in Internet-facing things. Holden was visiting the site to pay his annual CISSP membership dues, and was getting ready to fork over the $85 annual fee when he noticed a glaring weakness in the organization’s checkout page: The URL listed all of his registration information in plaintext.
The site hadn’t yet requested his credit card, but Holden found that he could skip the payment process merely by changing the $85 amount in the URL produced by the checkout page to a negative number. Clicking submit after that change was made produced an email congratulating him on his successful renewal. Continue reading →