[ryanlm]

I'm assuming that the relevant code, is simply an if statement checking for the existence of the url parameters, not even checking if the security questions are correct.

    if(isset($_GET['securityQuesiton0')) {
        // success, 
    }

This is negligence on the developers part and I think they should be disciplined.

[kelnage]

Or they designed it to show a variable number of security questions (so management could come along and say "we need 4 questions now" without causing havoc). Then they'd iterate through the responses, verifying them against the appropriate question. Simply forgetting to enforce that the number of questions asked has to equal the number of responses sent would cause the described vulnerability.

[gengkev]

That doesn't actually make sense, since the exploit is to leave securityQuestion0 unset...