The Bug That Bugged Buy.com
Page 1 of 2
Internet "superstore" buy.com was at the hub of a security flaw this week as a hole was discovered at its site that lets a user see customers' vital information -- names, addresses and phone numbers.
Buy.com confirmed that for several hours on Thursday, as many as thousands of people who returned products to the company had their information exposed to those who may have wanted it. However, no credit card numbers were exposed.
The breach is relatively simple. Buy.com's Microsoft NT server provides customers who want to make a return with a special URL -- including a customer number -- so they can easily print a mailing label. The label includes return addresses and phone numbers.
But if someone changes the customer number in the URL, they may view other return labels. However, users would have to be pretty determined to access the info because each label is saved as an image file, which poses more of a challenge to questing intruders.
Ben Edelman of the Berkman Center for Internet & Society at Harvard Law School, detected the problem. He said the mailing labels were in the PNG graphics file format and that someone could use optical character recognition software to strip out the addresses from the images.
Edelman told InternetNews Radio Friday that the security hazard would be obvious to most technologically savvy folks.
He also said that buy.com's weakness is in outsourcing security from different firms.
"Tying together the security systems on all of the separately-designed systems -- the package-label generator has to be tied to the order status system -- to the extent that these are coming from different consultants and different outsourcers they've got a real problem tying them together in a secure way," Edelman said.
"I guess I think that this is an example of exactly that kind of challenge gone wrong. When they don't follow through properly and don't take care of all the details they're business model of outsourcing everything makes them especially vulnerable."
Buy.com issued the following statement to InternetNews.com Friday:
"Buy.com and UPS announced that they have implemented a technical solution concerning the online returns process," buy.com said. "Buy.com and UPS were made aware that a small number of customers' names, addresses, and phone numbers were viewable on UPS electronic shipping labels for a brief period of time."
Travis Fagan, vice president of customer realtionship management at buy.com, said he could not put a finger on exactly how many customers' personal data was left open, but said his company takes it very seriously.
"It's like somebody looked at a phone book and found people's names and numbers," Fagan told InternetNews.com Friday.
This is true, all things considered. While Fagan doesn't want to downplay the situation by saying that, he recognized that most security breaches are a lot worse because peoples' credit card numbers are often exposed.
As for Edelman's comments about working with different partners, Fagan defended buy.com's relationship with UPS.
"Where it's efficient and effective for customers, we're going to continue to partner with them," Fagan said. "They're a world-class organization."
While the mailing numbers on buy.com's licensed Windows NT server may not have been Microsoft's fault, the software giant also experienced its own security dilemma Thursday. InternetNews Radio, an internet.com affiliate, reported that a flaw was found in the password authentification mechanism for Windows 95, 98, and ME -- the consumer-oriented OSs.
Thought consumers' systems are blanketed by a password, intruders may guess one letter of the password, unlocking the door to someone's