Bloomberg Anywhere Remote Login Bloomberg Terminal Demo Request


Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.


Financial Products

Enterprise Products


Customer Support

  • Americas

    +1 212 318 2000

  • Europe, Middle East, & Africa

    +44 20 7330 7500

  • Asia Pacific

    +65 6212 1000


Industry Products

Media Services

Follow Us

Bloomberg Customers


O'Reilly Leaks Geeks' Info

Call it a case of "do what we say, not what we do." Hardcore geek publishing

house O'Reilly & Associates recently exposed their database of

approximately 100,000 online users to outsiders, courtesy of a Web coding

slip-up that their techie customer base might scoff at.

O'Reilly's main Web site, as well as connected sites like and, offer visitors free password-protected accounts for posting

comments and subscribing to the publisher's e-mail lists.

Until Monday, clicking on a link for reviewing and changing your user

profile would land you at a URL of the form

It turns out the number at the end is a sequentially-assigned user I.D., and

by simply substituting other numbers one could browse or modify other

people's profiles. The profiles include full name and email addresses, and,

more rarely, physical mailing address, employer, title and phone number.

No credit card numbers or purchase histories were revealed through the

gaffe, but the publisher of titles like "Computer Security Basics" and "Web

Security, Privacy & Commerce" -- as well as the standard texts on PERL and

CGI programming -- should consider giving free copies to their Web

development team, suggests 19-year-old Jeremiah Jacks, the coder who

discovered the flaw and reported it to O'Reilly.

"It kind of goes to show that just because they preach about writing secure

code, it doesn't mean the people behind the site are writing secure code"

says Jacks, a computer security consultant with Point Blank Security.

Jacks has a knack for bird-dogging Web security blunders -- last March

fashion retailer Guess closed a hole he discovered that made customer credit card numbers

accessible from the Web. He credits O'Reilly with plugging their leak

quickly Monday. "They added code that checks to see if you have rights to

view the profile," says Jacks.

The company couldn't answer how long the hole had been in place. "As far as

we know, no one but Jeremiah was able to get in," says spokesperson Lisa

Mann. By Kevin Poulsen

blog comments powered by Disqus