More than 100 online stores may be exposing customer credit card numbers
and other order information to anyone with a Web browser.
The security vulnerability was discovered by Joe Harris, a senior technical
support staff member at Blarg Online Services,a
Seattle Internet service provider.
In the process of troubleshooting a customer’s online shopping cart, Harris
said he discovered that the software, if improperly installed, placed order
information in a world-readable log file in a directory accessible from the
Web.
Harris subsequently used a search engine to discover over 130 sites which
had failed to properly install their shopping cart software, and thus were
exposing their order log files to outsiders.
“This is like walking down the street and finding a black Hefty bag filled
with 300 credit cards, all valid,” said Harris, who has posted information
about the vulnerability on the Bugtraq security mailing list.
“Names,
addresses, phone numbers, credit card numbers, email addresses — it was
all there. This is a nightmare.”
Among the shopping cart packages Harris found to be vulnerable if improperly installed are WebStore from Extropia, a shareware shopping cart called Order Form, Seaside Enterprises EZMall 2000, QuikStore from a
company by the same name, PDGSoft’s PDG Shopping Cart and SoftCart from Mercantec.
InternetNews.com has confirmed Harris’ report, and was able to locate and read
several order log files with the help of a search engine.
One such vulnerable site is operated by a Cancun, Mexico travel agency.
While the site promises that orders are secure and appears to be encrypting
visitor’s order data during transmission, the agency’s shopping cart logs
are the weak link.
Included in the site’s exposed order files was one placed last Sunday by
Allen Fryxell, an engineer for BF Goodrich in Chula Vista, Calif., who gave out
his credit card number to reserve a snorkeling trip.
“I had a bad feeling about that order when I placed it, even though it said
it was secure. But I figured that any company that’s handling so many
orders would take all the safeguards they need to. I guess my orders on
the Internet are going to become fewer and fewer now.”
Similarly, Robert Coulter, a law enforcement officer in Los Banos, Calif., said
he believed his transaction was secure when he booked a diving trip through
the site last Thursday.
“I was led to believe the only person viewing it would be the company
involved. Obviously that’s not true. I am glad about my parents staying at
my residence while I am on vacation, as any thieves will now know when I
will be gone.”
Coulter said he has canceled his credit card and the reservation.
According to Harris of Blarg Online, at least six commercial or freeware
online shopping carts, when installed improperly, can expose order
information. But Harris said not to blame the software’s authors.
“All of these carts could have been secured by following the instructions
that came with the CGI. The reason I found all of these is because the
people did not follow those guidelines,” Harris said.
Stephen Cobb, director of research for online security firm Miora Systems
Consulting, said most large shopping sites develop their own order
management systems and are likely to observe proper security precautions.
But he said the pressure on smaller businesses to get on the Web may make them prone to such security vulnerabilities.
“We’re seeing an enormous rush to Web technology, and it’s steam rollering
a lot of security concerns from the people in-house who understand these
issues.”
