[ISN] Business data exposed on Canada Post website

From: InfoSec News (alerts@private)
Date: Mon Dec 17 2007 - 22:02:19 PST


By Kenyon Wallace
The Globe and Mail
December 17, 2007

Login records for scores of small businesses that use Canada Post's 
business shipping website are available online as a result of a Web 
server glitch, leaving sensitive information such as names, addresses 
and shipping details vulnerable.

A Vancouver small business owner discovered the security breach last 
week while conducting a Yahoo search of his company name. The first link 
generated by Yahoo contained his username and password for Canada Post's 
Sell Online website. Only the letters "CPC" that are required to come 
before all usernames were missing.

The man then discovered that by simply changing the date in his Web 
browser address bar, he could access dozens of websites with other login 
records that disclosed usernames and attempts to enter passwords on the 
Sell Online website.

"I was absolutely shocked," said the man who spoke to the Globe and Mail 
on the condition of anonymity. "This information simply should not be in 
the public domain. Anyone with my password could have accessed customer 
shipping details and my Visa card number, which is attached to the 

Franois Legault, a spokesman for Canada Post, could not specify the root 
cause of the security breach, but said the federal agency believes the 
available "out of date" usernames and passwords pose no threat to its 
customers. Mr. Legault said the federal agency - which farms out all of 
its IT services to third parties such as Innovapost and IBM - had 
addressed the problem.

But a Yahoo search of cached websites Friday revealed more Sell Online 
usernames and login attempts.

"Obviously, we unfortunately won't be able to find and eliminate all the 
cached daily files, but over time they will expire and we're confident 
there's no risk that someone can use this information to steal 
identities," Mr. Legault said.

But an Internet law specialist said that even though the data made 
available by Canada Post show failed login attempts - incorrect 
combinations of usernames and passwords - this kind of information is a 
potential "gold mine" for those engaged in identity theft and Internet 

"People typically use the same username and the same password across 
multiple websites," said Michael Geist, a law professor at the 
University of Ottawa. "If you're a fraudster, you could use the 
information from the Canada Post records to try to crack into someone 
else's online banking or e-mail accounts. You'd be surprised the number 
of times you'd be successful."

Sell Online allows business owners to set up online stores for products, 
provide shipping quotes, and enable customers to use virtual shopping 
carts. Many mail-order businesses link their websites with the Sell 
Online website to automatically calculate shipping costs and determine 
packaging dimensions.

Karin Bull, owner of Biopaw, a Pickering, Ont.-based mail-order business 
dealing in natural pet food, recently opened an account with Sell 
Online. Ms. Bull said she was "devastated" when contacted by the Globe 
and Mail and presented with her passwords that were gleaned from the 

"These are passwords I use for other online applications like e-mail and 
banking," Ms. Bull said. "I'm definitely going to think twice about 
repeated attempts to login anywhere online again."

Scott Smith, president of NoFenders.com, a Simcoe, Ont.-based Formula 
One Racing merchandise retailer, said he couldn't believe his username 
and password were already online, especially since he had created his 
shipping profile only last Thursday.

"That's pretty scary," he said. "You really could ruin someone's 
business by logging in and changing all their shipping numbers."

The Canada Post security breach comes just two weeks after a massive 
privacy flaw was discovered on the website of another federal agency. In 
late November, a Huntsville, Ont., man was able to access social 
insurance numbers, birthdates and driver's licence numbers of those 
applying for new passports on the Passport Canada website.

"Unfortunately, this kind of thing happens all the time," said Ian 
Goldberg, an Internet security expert at the University of Waterloo.

In the case of Sell Online, it appears that a folder with client login 
attempts was inadvertently placed in a public area of the Web server, 
Prof. Goldberg said.

"This is clearly not malicious," he said. "Canada Post isn't a security 
company, it's a post office. They just made a mistake."

Visit InfoSec News

This archive was generated by hypermail 2.1.3 : Mon Dec 17 2007 - 22:15:15 PST