[ISN] HQ for Exposed Credit Numbers

From: InfoSec News (isnat_private)
Date: Tue Jun 19 2001 - 01:36:28 PDT

  • Next message: InfoSec News: "[ISN] Weak security taints directory"

    By Michelle Delio 
    June 18, 2001
    Consumers who refuse to make online purchases for security concerns
    have another story to reinforce their fears.
    This one involves computer goods site ComputerHQ.com, where a small
    mistake in a JavaScript code exposed the credit card numbers and other
    personal information of thousands of its customers -- perhaps for as
    long as a year.
    The programmer who discovered the problem was using a URL the company
    included on his invoice when he went to check an order of his own --
    and has spent the past few days unsuccessfully trying to get the
    company to acknowledge and then fix the hole.
    The site was up and down throughout the weekend, but each time it
    reappeared, it had the same hole, exposing more than 15,000
    "This is madness," said Keith Little, a self-employed computer
    consultant, who discovered the hole. "The stupidity of this is beyond
    belief. Well, OK, I've been around a while. It's not quite beyond
    The security hole was exploitable only if the customer records were
    viewed with a browser that had JavaScript disabled. But the URL that
    allowed anyone access to the company's customer records is printed on
    the bottom of every ComputerHQ invoice.
    Little contacted ComputerHQ representatives about the problem on
    Saturday and Sunday, and explained that a few simple fixes would
    protect the data.
    He said each time he spoke with someone at ComputerHQ, the site was
    immediately taken offline, only to return a few hours later with the
    security hole still intact.
    When he noticed that the site was up and running yet again on Monday,
    and the data was still exposed, Little was furious.
    Wired News' efforts to contact ComputerHQ officials proved fruitless.
    Customers whose credit card details were exposed on the Computer HQ
    site found it hard to believe that the company had not contacted them
    about the problem as soon as Little alerted ComputerHQ about the
    security hole.
    Jeffrey Jones, a government employee in Carriere, Mississippi, was
    "shocked" when contacted and informed that his credit card number, its
    expiration date, his home and business addresses and phone numbers and
    other details of his order was exposed on the company's website.
    "I can't believe this, this certainly isn't the best way to start off
    a Monday morning," said Jones.
    Matthew Novack, an IBM employee, contacted ComputerHQ on Monday
    morning after being notified of the security problem by Wired News.
    Novack said that a ComputerHQ manager told him the problem had been
    corrected over the weekend.
    "But obviously this was not the case since you intercepted my order
    this morning at 7:29. He immediately had his developer shut down the
    site," Novack said.
    The manager then called back Novack and said that "the initial fix
    that was implemented on Saturday still had a workaround and that the
    final patch was installed at 11:30 and would prevent this workaround."
    Novack said that although he appreciated the manager's prompt action
    in taking the site offline to protect other consumers, "it still
    leaves the question as to the information that was retrieved by you
    and possibly others."
    As of noon EDT on Monday, none of the 14 ComputerHQ customers who were
    contacted by Wired News had received any independent notification from
    the company that their data had been exposed on the ComputerHQ
    "They should have called in their staff Saturday and started e-mailing
    and calling us to let us know that our credit card and other personal
    data was on the Web for the world to see," said one ComputerHQ
    customer, who requested her name not be used.
    Other customers responded with anger when their credit card numbers,
    details of their order and their addresses were relayed to them by
    "You hacked into the site, didn't you? How else could you see all this
    information? If you didn't hack into it, then someone else did and
    you're as bad as them for looking at my information. You should have
    just turned the computer off and walked away," said Tom Bellflour, a
    ComputerHQ client, who said he ordered products using his girlfriend's
    credit card.
    Little discovered the hole when a client ordered a hard drive from the
    ComputerHQ site and had it shipped directly to Little.
    The drive was faulty, and Little returned it for a replacement. Later,
    when checking some details of the order, Little noticed that the order
    form included a URL that contained the original order number.
    "Speculatively, I typed into the location input on my browser that URL
    and I found myself looking at the order, complete with all components
    purchased, full personal details, credit card number and all," Little
    Little then changed the order number in the URL by one digit and saw
    someone else's order, complete with credit card number, expiration
    date and other personal details. He was able to access dozens of
    orders, the earliest dating back a year ago.
    At that point, Little said it would have been a trivial task of a few
    minutes' work to write a bit of code that could have grabbed all
    15,000 plus orders and downloaded them to his hard drive.
    "I'd have been insane to do so, of course. I was working from my own
    dialup account. On the other hand, I presume these people were so
    clueless they may never have known," Little said.
    Instead, Little called the company, and asked to talk to the system
    administrator about a serious security problem. He was connected to a
    supervisor, who insisted that a zip code had to be entered in order to
    access customers' records.
    Little explained that any Web browser with JavaScripting enabled was
    able to view the records without entering the zip code.
    The pop-up window, which requested the viewer's zip code as a
    password, does not appear when JavaScripting is disabled, and instead
    the user is whisked directly to the order forms.
    The supervisor followed Little's directions, disabled JavaScripting,
    entered an order URL and was able to view the order forms.
    "I think I actually heard the blood drain from his face over the
    phone," Little said.
    Little wonders why a company would use an easily crackable five-digit
    number as a password in any case.
    "Even if zip codes were required to access specific records, wouldn't
    someone have figured out by now that 5-digit numbers most certainly do
    not make good passwords?"
    Little, along with other technicians who were asked to look at the
    site, say the problem is being caused by an ASP page -- Microsoft's
    scripted Web page system -- which is intended for use only to print
    out orders by staff at the company.
    The program passes along the entire customer record when a viewer
    requests it, at the exact same time that it is asking for a zip code
    as verification of the user's identity by means of a JavaScript pop-up
    With JavaScript enabled, which is the default setting on all browsers,
    the page remains invisible and only the pop-up is seen.
    But if users disable JavaScripting -- as some people do to avoid
    pop-ups and other advertising -- the entire customer record is
    immediately displayed.
    The problem is not inherent in the Microsoft software, but in the way
    the system administrator or Web designer of Computer HQ has designed
    the site, Little said.
    "It's just a matter of how the script is written. Presumably, while
    the code that produces the pop-up was made conditional in input (the
    lack of a zip code), the actual output of the data was not made
    conditional on the same factor."
    Little said that this is a fairly simple error to correct, as well as
    a simple error to make -- an issue that concerns him.
    "It is conceivable that whoever designed their system has also
    designed others. I haven't looked over their site nor examined the
    code of their pages to see if they use some outside service for their
    site's management."
    Little said the earliest order he was able to view was No. 1301, dated
    July 2000.
    Little said that if he was able to figure out how to enter the
    database, chances are other people could have figured out they just
    needed to disable JavaScript, too.
    "(Computer HQ) was sending out the exploitable URL on every invoice
    they shipped. It would truly be a miracle if no one discovered it
    before I did."
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 02:03:41 PDT