The problem was a result of an upgrade 12 days ago and was discovered by a customer who had bookmarked areas of his online bank account. He then discovered he was able to access those areas on future visits to the site without entering any more than his user name.
When he began tinkering with the site he discovered he was also able to access other customers' accounts simply by guessing user names and then moving to a bookmarked page.
The process of guessing user names is far from rocket science given the likelihood of there being a number of variations on popular names - such as John Smith or Jill Brown.
Security consultant Neil Barrett told ZDNet UK sister site silicon.com this morning that he had witnessed a number of tests of this method in a controlled environment and confirmed one such common name, written in surname and first initial format, yielded instant access to one account. Barrett also said he was shocked at how easy it was.
He added: "I think the ease with which it was possible to access these accounts may have been Cahoot's saving grace. It was so very simple it is likely it fell below the radar of the hackers."
It's not uncommon for wannabe hackers to surf secure Web sites removing and replacing parts of a URL in an attempt to gain access to accounts, but Barrett confirmed there was no specialist knowledge required in this instance.
However, a spokeswoman for Abbey told ZDNet UK sister site silicon.com this morning that the customer who discovered the flaw has been in touch regularly with the bank in the past "raising various security issues, all of which have been answered to his satisfaction". It would appear his concerns over the latest discovery were justified.
Cahoot was forced to take the site down for 10 hours while it fixed the flaw.
The Abbey spokeswoman said during that time the previous system was put in place and independently tested by Qinetiq and found to prevent this particular breach -- confirming it was the systems upgrade which was responsible.
Barrett believes Cahoot may not be only bank affected, warning that others who have adopted the same system could "be open to the same level of exposure".
