RealTime IT News

Shopping Carts Expose Order Data

More than 100 online stores may be exposing customer credit card numbers and other order information to anyone with a Web browser.

The security vulnerability was discovered by Joe Harris, a senior technical support staff member at Blarg Online Services,a Seattle Internet service provider.

In the process of troubleshooting a customer's online shopping cart, Harris said he discovered that the software, if improperly installed, placed order information in a world-readable log file in a directory accessible from the Web.

Harris subsequently used a search engine to discover over 130 sites which had failed to properly install their shopping cart software, and thus were exposing their order log files to outsiders.

"This is like walking down the street and finding a black Hefty bag filled with 300 credit cards, all valid," said Harris, who has posted information about the vulnerability on the Bugtraq security mailing list.

"Names, addresses, phone numbers, credit card numbers, email addresses -- it was all there. This is a nightmare."

Among the shopping cart packages Harris found to be vulnerable if improperly installed are WebStore from Extropia, a shareware shopping cart called Order Form, Seaside Enterprises EZMall 2000, QuikStore from a company by the same name, PDGSoft's PDG Shopping Cart and SoftCart from Mercantec.

InternetNews.com has confirmed Harris' report, and was able to locate and read several order log files with the help of a search engine.

One such vulnerable site is operated by a Cancun, Mexico travel agency. While the site promises that orders are secure and appears to be encrypting visitor's order data during transmission, the agency's shopping cart logs are the weak link.

Included in the site's exposed order files was one placed last Sunday by Allen Fryxell, an engineer for BF Goodrich in Chula Vista, Calif., who gave out his credit card number to reserve a snorkeling trip.

"I had a bad feeling about that order when I placed it, even though it said it was secure. But I figured that any company that's handling so many orders would take all the safeguards they need to. I guess my orders on the Internet are going to become fewer and fewer now."

Similarly, Robert Coulter, a law enforcement officer in Los Banos, Calif., said he believed his transaction was secure when he booked a diving trip through the site last Thursday.

"I was led to believe the only person viewing it would be the company involved. Obviously that's not true. I am glad about my parents staying at my residence while I am on vacation, as any thieves will now know when I will be gone."

Coulter said he has canceled his credit card and the reservation. According to Harris of Blarg Online, at least six commercial or freeware online shopping carts, when installed improperly, can expose order information. But Harris said not to blame the software's authors.

"All of these carts could have been secured by following the instructions that came with the CGI. The reason I found all of these is because the people did not follow those guidelines," Harris said.

Stephen Cobb, director of research for online security firm Miora Systems Consulting, said most large shopping sites develop their own order management systems and are likely to observe proper security precautions. But he said the pressure on smaller businesses to get on the Web may make them prone to such security vulnerabilities.

"We're seeing an enormous rush to Web technology, and it's steam rollering a lot of security concerns from the people in-house who understand these issues."