http://www.wired.com/news/ebiz/0,1272,44613,00.html By Michelle Delio June 18, 2001 Consumers who refuse to make online purchases for security concerns have another story to reinforce their fears. This one involves computer goods site ComputerHQ.com, where a small mistake in a JavaScript code exposed the credit card numbers and other personal information of thousands of its customers -- perhaps for as long as a year. The programmer who discovered the problem was using a URL the company included on his invoice when he went to check an order of his own -- and has spent the past few days unsuccessfully trying to get the company to acknowledge and then fix the hole. The site was up and down throughout the weekend, but each time it reappeared, it had the same hole, exposing more than 15,000 transactions. "This is madness," said Keith Little, a self-employed computer consultant, who discovered the hole. "The stupidity of this is beyond belief. Well, OK, I've been around a while. It's not quite beyond belief." The security hole was exploitable only if the customer records were viewed with a browser that had JavaScript disabled. But the URL that allowed anyone access to the company's customer records is printed on the bottom of every ComputerHQ invoice. Little contacted ComputerHQ representatives about the problem on Saturday and Sunday, and explained that a few simple fixes would protect the data. He said each time he spoke with someone at ComputerHQ, the site was immediately taken offline, only to return a few hours later with the security hole still intact. When he noticed that the site was up and running yet again on Monday, and the data was still exposed, Little was furious. Wired News' efforts to contact ComputerHQ officials proved fruitless. Customers whose credit card details were exposed on the Computer HQ site found it hard to believe that the company had not contacted them about the problem as soon as Little alerted ComputerHQ about the security hole. Jeffrey Jones, a government employee in Carriere, Mississippi, was "shocked" when contacted and informed that his credit card number, its expiration date, his home and business addresses and phone numbers and other details of his order was exposed on the company's website. "I can't believe this, this certainly isn't the best way to start off a Monday morning," said Jones. Matthew Novack, an IBM employee, contacted ComputerHQ on Monday morning after being notified of the security problem by Wired News. Novack said that a ComputerHQ manager told him the problem had been corrected over the weekend. "But obviously this was not the case since you intercepted my order this morning at 7:29. He immediately had his developer shut down the site," Novack said. The manager then called back Novack and said that "the initial fix that was implemented on Saturday still had a workaround and that the final patch was installed at 11:30 and would prevent this workaround." Novack said that although he appreciated the manager's prompt action in taking the site offline to protect other consumers, "it still leaves the question as to the information that was retrieved by you and possibly others." As of noon EDT on Monday, none of the 14 ComputerHQ customers who were contacted by Wired News had received any independent notification from the company that their data had been exposed on the ComputerHQ website. "They should have called in their staff Saturday and started e-mailing and calling us to let us know that our credit card and other personal data was on the Web for the world to see," said one ComputerHQ customer, who requested her name not be used. Other customers responded with anger when their credit card numbers, details of their order and their addresses were relayed to them by phone. "You hacked into the site, didn't you? How else could you see all this information? If you didn't hack into it, then someone else did and you're as bad as them for looking at my information. You should have just turned the computer off and walked away," said Tom Bellflour, a ComputerHQ client, who said he ordered products using his girlfriend's credit card. Little discovered the hole when a client ordered a hard drive from the ComputerHQ site and had it shipped directly to Little. The drive was faulty, and Little returned it for a replacement. Later, when checking some details of the order, Little noticed that the order form included a URL that contained the original order number. "Speculatively, I typed into the location input on my browser that URL and I found myself looking at the order, complete with all components purchased, full personal details, credit card number and all," Little said. Little then changed the order number in the URL by one digit and saw someone else's order, complete with credit card number, expiration date and other personal details. He was able to access dozens of orders, the earliest dating back a year ago. At that point, Little said it would have been a trivial task of a few minutes' work to write a bit of code that could have grabbed all 15,000 plus orders and downloaded them to his hard drive. "I'd have been insane to do so, of course. I was working from my own dialup account. On the other hand, I presume these people were so clueless they may never have known," Little said. Instead, Little called the company, and asked to talk to the system administrator about a serious security problem. He was connected to a supervisor, who insisted that a zip code had to be entered in order to access customers' records. Little explained that any Web browser with JavaScripting enabled was able to view the records without entering the zip code. The pop-up window, which requested the viewer's zip code as a password, does not appear when JavaScripting is disabled, and instead the user is whisked directly to the order forms. The supervisor followed Little's directions, disabled JavaScripting, entered an order URL and was able to view the order forms. "I think I actually heard the blood drain from his face over the phone," Little said. Little wonders why a company would use an easily crackable five-digit number as a password in any case. "Even if zip codes were required to access specific records, wouldn't someone have figured out by now that 5-digit numbers most certainly do not make good passwords?" Little, along with other technicians who were asked to look at the site, say the problem is being caused by an ASP page -- Microsoft's scripted Web page system -- which is intended for use only to print out orders by staff at the company. The program passes along the entire customer record when a viewer requests it, at the exact same time that it is asking for a zip code as verification of the user's identity by means of a JavaScript pop-up window. With JavaScript enabled, which is the default setting on all browsers, the page remains invisible and only the pop-up is seen. But if users disable JavaScripting -- as some people do to avoid pop-ups and other advertising -- the entire customer record is immediately displayed. The problem is not inherent in the Microsoft software, but in the way the system administrator or Web designer of Computer HQ has designed the site, Little said. "It's just a matter of how the script is written. Presumably, while the code that produces the pop-up was made conditional in input (the lack of a zip code), the actual output of the data was not made conditional on the same factor." Little said that this is a fairly simple error to correct, as well as a simple error to make -- an issue that concerns him. "It is conceivable that whoever designed their system has also designed others. I haven't looked over their site nor examined the code of their pages to see if they use some outside service for their site's management." Little said the earliest order he was able to view was No. 1301, dated July 2000. Little said that if he was able to figure out how to enter the database, chances are other people could have figured out they just needed to disable JavaScript, too. "(Computer HQ) was sending out the exploitable URL on every invoice they shipped. It would truly be a miracle if no one discovered it before I did." ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 02:03:41 PDT