[ISN] Comdex Attendees' Personal Data Exhibited On The Web

From: InfoSec News (isnat_private)
Date: Fri Mar 22 2002 - 00:02:53 PST

  • Next message: InfoSec News: "[ISN] Microsoft Outlook's so-so security"

    By Brian McWilliams, Newsbytes
    21 Mar 2002, 3:07 PM CST
    A security flaw in an online registration system for the world's
    biggest computer trade shows exposed the personal data of some users,
    Key3Media Events [NYSE:KME] officials acknowledged today.
    The system, accessible from the company's Web site, enables visitors
    to register online for events produced by Key3Media Events, including
    Comdex, NetWorld+Interop, Seybold Seminars and JavaOne.
    By slightly manipulating login data recently sent in a registration
    confirmation e-mail to some show attendees, users of the online system
    were able today to view the profiles and shopping carts of other
    Newsbytes confirmed that it was possible to access profiles including
    those of the senior partners of a major high-tech law firm, the
    managing partner of a large venture capital firm, and the president of
    a Midwestern manufacturing company.
    According to a Key3Media spokesperson, the privacy breach appears to
    be limited to "a few thousand" people who recently registered in
    person using a "legacy" system at the company's Comdex Chicago or
    Seybold New York shows.
    Conference attendees who registered online for the two events or other
    Key3Media shows did not appear to be affected, the representative
    While the flaw did not reveal attendees' financial data such as credit
    card numbers, the incident is an embarrassment for Key3Media,
    according to William Knowles, editor of InfoSec News, an online
    "You might expect the guys running the local Corvette show to make
    this kind of mistake. But Key3Media is supposed to be a cutting-edge
    IT show group. You'd think they would know better," said Knowles, who
    discovered the privacy issue today.
    The confirmation e-mail sent to some conference attendees contained a
    system-generated login name and password for registering online for
    any Key3Media event.
    The login name was a collection of numbers and letters, while the
    password was the word "password."
    By sequentially changing digits in the login name and using the
    default password, it was possible today to log in other users'
    The user profile page included the name, title, mailing address, phone
    number and e-mail address of the user, as well as information about
    the size of the user's company and his or her purchasing role.
    Also accessible were users' online shopping carts, which are used to
    temporarily store conference registration data. While the carts are
    used to purchase trade show passes online, the system does not store
    credit card information, Key3Media said.
    Key3Media officials said they have disabled logins for affected users
    and will issue them new, stronger passwords and truly random login
    Users who register for Key3Media events at the company's Web site are
    required to set their own unique login name and specify a password,
    the company said.
    Key3Media Events is at http://www.key3media.com
    InfoSec News is at http://www.c4i.org/isn.html
    Reported by Newsbytes.com, http://www.newsbytes.com
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 03:39:44 PST