Password Cracker Exposes Net.Commerce Sites

IBM’s Net.Commerce software was under renewed attack Wednesday, with the
release by a hacking group in Denmark of a tool that can crack encrypted
administrator passwords on some versions of the popular online storefront
package.


When combined with a recently reported security flaw in the macros function in Net.Commerce version 4.1
and version 3.1 as well as earlier versions, the password cracker could give attackers the
ability to log in as an administrator of a Net.Commerce storefront and
access customer data, potentially including credit cards.


InternetNews has confirmed that the tool functions as described. In a quick
scan Tuesday, nearly a dozen vulnerable sites were easily identified using a
search engine, among them a leading bicycle manufacturer, the online ticket
office of a major university, a leading automotive parts retailer, and two
national jewelry retailers. In each case, the tool was able to convert
encrypted administrative passwords into clear text.


One of the vulnerable Net.Commerce sites prominently displays a logo
designating it as a legitimate Verisign Secure Site. Another graphic assures
shoppers that the site is an AOL Certified Merchant.


The new tool, which was posted on the web this week, exploits the fact that
Net.Commerce encrypts passwords with a fixed key. While this key can be
changed when the package is installed, many sites use the default key. In an
email to InternetNews, the author of the tool, who uses the hacker handle
xor37h, said he found the key hardcoded in the Net.Commerce application
executable while debugging the program.


Last month, a security consultant in Austria discovered that a flaw in the
Net.Data macro function of older versions of Net.Commerce allows
unauthorized users to enter random SQL commands into a store’s database.
With this ability, an attacker could upload and download files, issue
operating system commands, and extract any information from the site’s
database, including customer records and credit cards. Also accessible are
the account names and encrypted passwords of the Net.Commerce
administrators.


After InternetNews reported on the macros vulnerability last month, IBM posted a notice at its site about the issue and advised Net.Commerce
customers to take action “to eliminate possible security exposures” by
properly coding macros. According to spokesperson Nancy Riley, the company
also directly contacted Net.Commerce accounts by email, but many sites
appear not to have heeded the notice.


“It’s a matter of getting to the right person who is responsible for keeping
the code current, and then getting them to do it. We can only provide them
with the information — we can’t make them do it,” said Riley.


IBM is currently shipping version 5.1 of the software, which has been
rebranded the WebSphere Commerce Suite, but hundreds of sites still use
older, vulnerable releases.


At news time Wednesday, more than 1,600 people had visited the site with the
password cracking tool, according to a counter on the site’s homepage.

News Around the Web