This is a minor vulnerability involving any e-commerce site that uses secure.secureinc.com as their credit card processing server. After order information is submitted, the server attempts to set a cookie that includes all form information, including billing and shipping name, address and phone number. Credit card information is not included. This information is stored in plaintext on the user's computer, without any notice, or way to opt out. Vendor notification: None- Vulnerability minor, and www.secureinc.com does not have any contact information on it, or anything much for that matter. I discovered this after placing an order with a company that uses secureinc.com as their credit card processor. Workaround: Reject this cookie from secure.secureinc.com, as it is not necessary for processing your orders.
This archive was generated by hypermail 2b30 : Mon Mar 25 2002 - 20:37:38 PST