RealTime IT News

Password Cracker Exposes Net.Commerce Sites

IBM's Net.Commerce software was under renewed attack Wednesday, with the release by a hacking group in Denmark of a tool that can crack encrypted administrator passwords on some versions of the popular online storefront package.

When combined with a recently reported security flaw in the macros function in Net.Commerce version 4.1 and version 3.1 as well as earlier versions, the password cracker could give attackers the ability to log in as an administrator of a Net.Commerce storefront and access customer data, potentially including credit cards.

InternetNews has confirmed that the tool functions as described. In a quick scan Tuesday, nearly a dozen vulnerable sites were easily identified using a search engine, among them a leading bicycle manufacturer, the online ticket office of a major university, a leading automotive parts retailer, and two national jewelry retailers. In each case, the tool was able to convert encrypted administrative passwords into clear text.

One of the vulnerable Net.Commerce sites prominently displays a logo designating it as a legitimate Verisign Secure Site. Another graphic assures shoppers that the site is an AOL Certified Merchant.

The new tool, which was posted on the web this week, exploits the fact that Net.Commerce encrypts passwords with a fixed key. While this key can be changed when the package is installed, many sites use the default key. In an email to InternetNews, the author of the tool, who uses the hacker handle xor37h, said he found the key hardcoded in the Net.Commerce application executable while debugging the program.

Last month, a security consultant in Austria discovered that a flaw in the Net.Data macro function of older versions of Net.Commerce allows unauthorized users to enter random SQL commands into a store's database. With this ability, an attacker could upload and download files, issue operating system commands, and extract any information from the site's database, including customer records and credit cards. Also accessible are the account names and encrypted passwords of the Net.Commerce administrators.

After InternetNews reported on the macros vulnerability last month, IBM posted a notice at its site about the issue and advised Net.Commerce customers to take action "to eliminate possible security exposures" by properly coding macros. According to spokesperson Nancy Riley, the company also directly contacted Net.Commerce accounts by email, but many sites appear not to have heeded the notice.

"It's a matter of getting to the right person who is responsible for keeping the code current, and then getting them to do it. We can only provide them with the information -- we can't make them do it," said Riley.

IBM is currently shipping version 5.1 of the software, which has been rebranded the WebSphere Commerce Suite, but hundreds of sites still use older, vulnerable releases.

At news time Wednesday, more than 1,600 people had visited the site with the password cracking tool, according to a counter on the site's homepage.