The Bug That Bugged Buy.com

Internet “superstore” buy.com was at the hub of a security flaw this week as
a hole was discovered at its site that lets a user see customers’ vital
information — names, addresses and phone numbers.


Buy.com confirmed that for several hours on Thursday, as many as thousands
of people who returned products to the company had their information exposed
to those who may have wanted it. However, no credit card numbers were
exposed.

The breach is relatively simple. Buy.com’s Microsoft NT server provides
customers who want to make a return with a special URL — including a
customer number — so they can easily print a mailing label. The label
includes return addresses and phone numbers.


But if someone changes the customer number in the URL, they may view other
return labels. However, users would have to be pretty determined to access
the info because each label is saved as an image file, which poses more of a
challenge to questing intruders.


Buy.com said Thursday it had patched the problem by 7 p.m. Thursday.


Ben Edelman of the Berkman Center for Internet & Society at Harvard Law
School, detected the problem. He said the mailing labels were in the PNG graphics file format and that someone could use optical character
recognition software to strip out the addresses from the images.


Edelman told InternetNews Radio Friday that the security hazard would be obvious to most technologically savvy folks.


He also said that buy.com’s weakness is in outsourcing security from
different firms.


“Tying together the security systems on all of the separately-designed
systems — the package-label generator has to be tied to the order status
system — to the extent that these are coming from different consultants and
different outsourcers they’ve got a real problem tying them together in a
secure way,” Edelman said.


“I guess I think that this is an example of exactly that kind of challenge
gone wrong. When they don’t follow through properly and don’t take care of
all the details they’re business model of outsourcing everything makes them
especially vulnerable.”


Buy.com issued the following statement to InternetNews.com Friday:


“Buy.com and UPS announced that they have implemented a technical solution concerning the online returns process,” buy.com said. “Buy.com and UPS were made aware that a small number of customers’ names, addresses, and phone numbers were viewable on UPS electronic shipping labels for a brief period of time.”


Travis Fagan, vice president of customer realtionship management at buy.com, said he could not put a finger on exactly how many customers’ personal data was left open, but said his company takes it very seriously.


“It’s like somebody looked at a phone book and found people’s names and numbers,” Fagan told InternetNews.com Friday.


This is true, all things considered. While Fagan doesn’t want to downplay the situation by saying that, he recognized that most security breaches are a lot worse because peoples’ credit card numbers are often exposed.


As for Edelman’s comments about working with different partners, Fagan defended buy.com’s relationship with UPS.


“Where it’s efficient and effective for customers, we’re going to continue to partner with them,” Fagan said. “They’re a world-class organization.”


While the mailing numbers on buy.com’s licensed Windows NT server may not
have been Microsoft’s fault, the software giant also experienced its own
security dilemma Thursday. InternetNews Radio, an internet.com affiliate,
reported that a flaw was found in the password authentification mechanism
for Windows 95, 98, and ME — the consumer-oriented OSs.


Thought consumers’ systems are blanketed by a password, intruders may guess
one letter of the password, unlocking the door to someone’s

files.
Discovered by Beijing’s Network Security Focus, the bug does not affect
Windows NT or 2000. A patch has been created for the hole for 98 and ME,
with one for 95 coming soon, according to Microsoft.

News Around the Web