[ISN] FTC probes PetCo.com security hole

From: InfoSec News (isn@private)
Date: Mon Dec 08 2003 - 02:28:46 PST

  • Next message: InfoSec News: "[ISN] Security experts form patch support group"

    http://www.theregister.co.uk/content/55/34379.html
    
    By Kevin Poulsen
    SecurityFocus
    Posted: 07/12/2003
    
    Pet supply retailer PetCo disclosed this week that its security and
    privacy practices are the target of an investigation by the U.S.  
    Federal Trade Commission (FTC), which is following up on an e-commerce
    security gaffe that left as many as 500,000 credit card numbers
    accessible from the Web earlier this year.
    
    In October the FTC served PetCo with a "Civil Investigative Demand"  
    seeking information and documents on how the company protects private
    customer information on the PetCo.com e-commerce site, PetCo revealed
    in its quarterly report Wednesday. "At the present time, the Company
    is unable to determine whether the FTC will initiate any enforcement
    action against the Company or the financial impact any such action
    might entail," the company wrote.
    
    The probe stems from an incident first reported by SecurityFocus last
    June, when then-20 year-old independent programmer Jeremiah Jacks
    discovered that PetCo.com suffered from an SQL injection vulnerability
    that left its database open to anyone able to construct a
    specially-crafted URL.
    
    SecurityFocus notified PetCo of Jacks' discovery, and the company
    immediately blocked access to the vulnerable Web page. The company
    worked over a weekend to close the hole permanently, and said it had
    hired a computer security consultant to assist in an audit of the
    site. Jacks also cooperated with PetCo, which said it found no
    evidence that anyone prior to Jacks exploited the hole.
    
    The PetCo probe is the second FTC investigation to be sparked by the
    young coder. In February, 2002 Jacks discovered a similar SQL
    injection hole at the website of fashion-retail Guess that exposed, at
    Jacks' count, over 200,000 credit card numbers with corresponding
    names and expiration dates.
    
    Consumer Privacy Issues
    
    Jacks, who lives and works in Orange County, California, cooperated
    with the FTC as it investigated Guess under its authority to probe
    "deceptive trade practices" -- the Guess.com privacy policy had
    claimed that credit card numbers were stored in an "unreadable,
    encrypted format at all times." The case settled last June, with Guess
    agreeing to overhaul its information security practices and promising
    not to misrepresent the extent to which it protects the security of
    customers' personal information.
    
    The Guess case was only the third time the FTC used its anti-consumer
    fraud mandate to crack down on e-commerce cybersecurity gaffes -- last
    year it won a consent decree against Eli Lilly for the inadvertent
    disclosure of the e-mail addresses of 669 Prozac users, and another
    one against Microsoft for inflated security claims about the company's
    Passport identity management service.
    
    News media interest in the Guess case prompted Jacks to check a few
    other large e-commerce sites for similar bugs, including PetCo.com, he
    said at the time. He used Google to find active server pages on
    PetCo.com that accepted customer input, then simply tried inputting
    SQL database queries into them. "It took me less than a minute to find
    a page that was vulnerable," said Jacks. "Any SQL injection hacker
    would be able to do the same thing."
    
    Jacks said the database contained 500,000 credit card entries, and
    that he could have accessed corresponding customer names and address,
    as well as entire orders. A PetCo spokesperson confirmed the hole at
    the time, but would not say how many credit card numbers had been at
    risk.
    
    In disclosing the FTC probe, the company's quarterly report doesn't
    admit to any error, only acknowledging that "a self-proclaimed hacker
    purportedly obtained unauthorized access to a portion of the Company's
    website."
    
    PetCo's privacy policy assured visitors, "At PETCO.com our customers'
    data is strictly protected against any unauthorized access."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 05:06:17 PST