[ISN] Microsoft closes window to customer data

From: InfoSec News (isnat_private)
Date: Thu Oct 11 2001 - 04:13:59 PDT

  • Next message: InfoSec News: "[ISN] FC: U.K. firm finds hidden messages that "might" implicate bin Laden"

    By Paul Festa
    Staff Writer, CNET News.com 
    October 10, 2001, 11:50 a.m. PT 
    Microsoft moved swiftly this week to close a security gap in its
    customer service Web site that let anyone with a browser view
    customers' sales records and other confidential information.
    The software giant had left a search database exposed without security
    protections. The address of the customer service page was unpublished,
    but by altering the numerical IP (Internet Protocol) addresses of
    known Microsoft Web sites, a security enthusiast located it and found
    himself with access to an unknown number of customer service records.
    Each exposed record included the customer's name, purchasing history,
    shipping address, billing address, phone numbers, e-mail address and
    credit card type. It did not include the actual credit card number.
    "We were notified of this, we fixed the problem, and we're reviewing
    our internal systems to make sure proper procedures are followed to
    make sure this doesn't happen again," Microsoft representative Jim
    Desler said Wednesday. "This was a case of human error, and we will
    remain vigilant in our efforts to protect customer information and
    will not accept any breakdowns or failures in this process."
    Adrian Lamo, who discovered the unprotected page, has exposed other
    embarrassing security gaffes by Internet giants. Last month, Lamo
    succeeded in breaking into Yahoo's news production tools and altering
    news stories. Prior to that, Excite@Home credited him with helping
    them shore up their customer records, which had been vulnerable to
    Lamo said Microsoft fixed the hole within an hour of notification by
    news Web site NewsBytes.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 09:03:24 PDT