Whitehat CCC hacker thoroughly pwns N26 bank — there’s a lot of small leaks and insecurities here. Sounds like N26 are dealing with them though
‘For decades, the transaction concept has played a central role in database research and development. Despite this prominence, transactional databases today often surface much weaker models than the classic serializable isolation guarantee—and, by default, far weaker models than alternative,“strong but not serializable” models such as Snapshot Isolation. Moreover, the transaction concept requires the programmer’s involvement: should an application programmer fail to correctly use transactions by appropriately encapsulating functionality, even serializable transactions will expose programmers to errors. While many errors arising from these practices may be masked by low concurrency during normal operation, they are susceptible to occur during periods of abnormally high concurrency. By triggering these errors via concurrent access in a deliberate attack, a determined adversary could systematically exploit them for gain. In this work, we defined the problem of ACIDRain attacks and introduced 2AD, a lightweight dynamic analysis tool that uses traces of normal database activity to detect possible anomalous behavior in applications. To enable 2AD, we extended Adya’s theory of weak isolation to allow efficient reasoning over the space of all possible concurrent executions of a set of transactions based on a concrete history, via a new concept called an abstract history, which also applies to API calls. We then applied 2AD analysis to twelve popular self-hosted eCommerce applications, finding 22 vulnerabilities spread across all but one application we tested, affecting over 50% of eCommerce sites on the Internet today. We believe that the magnitude and the prevalence of these vulnerabilities to ACIDRain attacks merits a broader reconsideration of the success of the transaction concept as employed by programmers today, in addition to further pursuit of research in this direction. Based on our early experiences both performing ACIDRain attacks on self-hosted applications as well as engaging with developers, we believe there is considerable work to be done in raising awareness of these attacks—for example, via improved analyses and additional 2AD refinement rules (including analysis of source code to better highlight sources of error)—and in automated methods for defending against these attacks—for example, by synthesizing repairs such as automated isolation level tuning and selective application of SELECT FOR UPDATE mechanisms. Our results here—as well as existing instances of ACIDRain attacks in the wild—suggest there is considerable value at stake.’
tl;dr: this is not going to happen and we are fucked.
jomsdev notes: ‘Last year, in the AofA’16 conference Robert Sedgewick proposed a new algorithm for cardinality estimation. Robert Sedgwick is a professor at Princeton with a long track of publications on combinatorial/randomized algorithms. He was a good friend of Philippe Flajolet (creator of Hyperloglog) and HyperBitBit it’s based on the same ideas. However, it uses less memory than Hyperloglog and can provide the same results. On practical data, HyperBitBit, for N < 2^64 estimates cardinality within 10% using only 128 + 6 bits.'