[ISN] PetCo plugs credit card leak

From: InfoSec News (isnat_private)
Date: Tue Jul 01 2003 - 04:11:34 PDT

  • Next message: InfoSec News: "Re: [ISN] Expert slams outlandish hacker claims"

    http://www.theregister.co.uk/content/55/31478.html
    
    By Kevin Poulsen, 
    SecurityFocus
    30/06/2003 
    
    Pet supply retailer PetCo.com plugged a hole in its online storefront
    over the weekend that left as many as 500,000 credit card numbers open
    to anyone able to construct a specially-crafted URL.
    
    The pet site was vulnerable to the same kind of SQL injection
    vulnerability that lead to an FTC complaint against the fashion label
    Guess, in a case that settled earlier this month.
    
    Twenty-year old programmer Jeremiah Jacks discovered both holes. Jacks
    say news media interest in the Guess case prompted him to check a few
    other large e-commerce sites for similar bugs. He chose PetCo.com
    because a competing e-tailer had been vulnerable last year, "so I was
    wondering about other pet sites," says Jacks.
    
    Jacks used Google to find active server pages on PetCo.com that
    accepted customer input, then simply tried inputting SQL database
    queries into them. "It took me less than a minute to find a page that
    was vulnerable," says Jacks. "Any SQL injection hacker would be able
    to do the same thing."
    
    He says the database contained 500,000 credit card entries, and that
    he could have accessed corresponding customer names and address, as
    well as entire orders. "Everything was in there... It exposed their
    whole database," says Jacks.
    
    PetCo spokesman Shawn Underwood confirmed the hole, but would not say
    how many credit card numbers had been at risk. He added that he was
    uncertain whether customer names and other information could have been
    tied to those numbers. Under a state law that takes effect Tuesday, a
    online leak of credit card numbers with corresponding names triggers
    mandatory notification to California customers.
    
    "Now we're going though every page and making sure that everything is
    locked down," says spokesman Shawn Underwood. "Our biggest concern is
    that the problems is fixed, but we want to make sure that nobody went
    in prior to him and got this information."
    
    SecurityFocus notified PetCo of Jacks' discovery on Thursday, and the
    company immediately blocked access to the vulnerable Web page. The
    company issued a statement Sunday saying it closed the hole
    permanently, and had hired a computer security consultant to assist in
    an audit of the site. Jacks also cooperated with the company, which
    has found no evidence that anyone prior to Jacks exploited the
    vulnerability.
    
    The ease with which he located another major leak of customer data
    underscores the difficulty of securing e-commerce storefronts, which
    often run on code that's been customized, or written from scratch,
    says Jacks. "It's not something that's waiting for Microsoft to issue
    a patch, or something like that."
    
    The FTC case that settled a week and a half ago charged Guess with
    deceptive trade practices. An SQL injection vulnerability on Guess.com
    made some 200,000 credit card numbers accessible, despite assurances
    in the company's privacy policy that such data was only stored in an
    encrypted form.
    
    PetCo's privacy policy is less specific, promising only, "At PETCO.com
    our customers' data is strictly protected against any unauthorized
    access."
    
    "I'm sure we thought it was," says Underwood.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jul 01 2003 - 06:27:00 PDT