http://www.newsbytes.com/news/02/175386.html By Brian McWilliams, Newsbytes LOS ANGELES, CALIFORNIA, U.S.A., 21 Mar 2002, 3:07 PM CST A security flaw in an online registration system for the world's biggest computer trade shows exposed the personal data of some users, Key3Media Events [NYSE:KME] officials acknowledged today. The system, accessible from the company's Web site, enables visitors to register online for events produced by Key3Media Events, including Comdex, NetWorld+Interop, Seybold Seminars and JavaOne. By slightly manipulating login data recently sent in a registration confirmation e-mail to some show attendees, users of the online system were able today to view the profiles and shopping carts of other users. Newsbytes confirmed that it was possible to access profiles including those of the senior partners of a major high-tech law firm, the managing partner of a large venture capital firm, and the president of a Midwestern manufacturing company. According to a Key3Media spokesperson, the privacy breach appears to be limited to "a few thousand" people who recently registered in person using a "legacy" system at the company's Comdex Chicago or Seybold New York shows. Conference attendees who registered online for the two events or other Key3Media shows did not appear to be affected, the representative said. While the flaw did not reveal attendees' financial data such as credit card numbers, the incident is an embarrassment for Key3Media, according to William Knowles, editor of InfoSec News, an online newsletter. "You might expect the guys running the local Corvette show to make this kind of mistake. But Key3Media is supposed to be a cutting-edge IT show group. You'd think they would know better," said Knowles, who discovered the privacy issue today. The confirmation e-mail sent to some conference attendees contained a system-generated login name and password for registering online for any Key3Media event. The login name was a collection of numbers and letters, while the password was the word "password." By sequentially changing digits in the login name and using the default password, it was possible today to log in other users' accounts. The user profile page included the name, title, mailing address, phone number and e-mail address of the user, as well as information about the size of the user's company and his or her purchasing role. Also accessible were users' online shopping carts, which are used to temporarily store conference registration data. While the carts are used to purchase trade show passes online, the system does not store credit card information, Key3Media said. Key3Media officials said they have disabled logins for affected users and will issue them new, stronger passwords and truly random login names. Users who register for Key3Media events at the company's Web site are required to set their own unique login name and specify a password, the company said. Key3Media Events is at http://www.key3media.com InfoSec News is at http://www.c4i.org/isn.html Reported by Newsbytes.com, http://www.newsbytes.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 03:39:44 PST