Tomorrow ( April 20 1999 ) CNet's news.com should be running a story regarding various commercial and freeware shopping carts that, when installed incorrectly or when installed by amateurs, result in the possible exposure of customer information... and not just a few digits of a credit card number like Yahoo's latest goof - everything is exposed. Name, CC Numbers, home address, phone number, what they ordered, how much they paid etc etc etc. These various shopping carts create world readable files in the web server's document tree which have subsequently been indexed by numerous search engines. (If a cold chill didn't just run down your spine, please, check your pulse) To access this order information you need a search engine and a little knowledge of how these various shopping carts are structured. Since some are freeware and the commercial carts have downloadable demos, this is trivial information to obtain. This email is a heads up to system administrators and hosts. These exposed order files were found by common search engine techniques and I suspect that after this story hits, those files are going to be even more vulnerable than they already are. If your users have 3rd party shopping carts installed on your servers, please run an audit on the files they generate and maintain. Any clear-text order information available to or stored in your web servers document tree should be immediately removed or have their access restricted. This is common sense to most of us here however, like most hosts, we don't always know what security nightmares our users have created for us and for themselves. I am hesitant to list the shopping carts that I've found to be exposing information, for fear of giving too much information to the wanna-be thieves out there. Please contact me directly if you want specifics. The list is very short, however, about 100 exposed installations of these carts have already been found and there are undoubtably hundreds more that I haven't found. Some of these sites are doing a great deal of business and some are doing none at all - but all of them are exposing order information. On one site alone was enough data to allow a thief to live like a king. (Until the FBI caught up with them that is :) A side note: Before anyone screams about us not contacting these CGI authors - Because of the sheer number of installations and the number of vendors involved, taking this to each one of them would have been prohibitive. We did have a conversation with one (fairly large) commercial vendor (who shall remain nameless) and if the response we got from them was any indication, contacting the remaining vendors would have been futile. This particular vendor couldn't see the problem we had with the software that -they themselves- had installed on behalf of our mutual client. They couldn't understand why we told them to change their software or remove it from the server, even after a long and patient explanation of a little thing called 'liability'. Their tech told me last Wednesday that their engineer would contact us to address these issues - which as of this writing hasn't happened. (Not that I expected one - we had to explain "world readable" to their rep 3 times and I'm still not sure he really understood why this was such a Bad Idea (tm).) We also tried to get the various CC companies involved in this and to be blunt, they practically begged us to go away. This is fairly odd since they are the ones that take the financial hit if these data files are exposed. Visa Fraud's only recommendation to us was to "send a letter to the FTC and let them deal with it". Sorry, but red tape like that is best cut with the press, and they can get a much faster and more effective response from the various vendors than a modest sized ISP in Seattle can. My apologies for the late notice... and now for the standard disclaimer: Opinions expressed here are my own and not neccessarily that of my employer. Cheers. Joe. -- Joe H. Technical Support General Support: supportat_private Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:04 PDT