Bugtraq mailing list archives
Shopping Carts exposing CC data
From: joe () GONZO BLARG NET (Joe)
Date: Mon, 19 Apr 1999 20:05:18 -0700
Tomorrow ( April 20 1999 ) CNet's news.com should be running a story regarding various commercial and freeware shopping carts that, when installed incorrectly or when installed by amateurs, result in the possible exposure of customer information... and not just a few digits of a credit card number like Yahoo's latest goof - everything is exposed. Name, CC Numbers, home address, phone number, what they ordered, how much they paid etc etc etc. These various shopping carts create world readable files in the web server's document tree which have subsequently been indexed by numerous search engines. (If a cold chill didn't just run down your spine, please, check your pulse) To access this order information you need a search engine and a little knowledge of how these various shopping carts are structured. Since some are freeware and the commercial carts have downloadable demos, this is trivial information to obtain. This email is a heads up to system administrators and hosts. These exposed order files were found by common search engine techniques and I suspect that after this story hits, those files are going to be even more vulnerable than they already are. If your users have 3rd party shopping carts installed on your servers, please run an audit on the files they generate and maintain. Any clear-text order information available to or stored in your web servers document tree should be immediately removed or have their access restricted. This is common sense to most of us here however, like most hosts, we don't always know what security nightmares our users have created for us and for themselves. I am hesitant to list the shopping carts that I've found to be exposing information, for fear of giving too much information to the wanna-be thieves out there. Please contact me directly if you want specifics. The list is very short, however, about 100 exposed installations of these carts have already been found and there are undoubtably hundreds more that I haven't found. Some of these sites are doing a great deal of business and some are doing none at all - but all of them are exposing order information. On one site alone was enough data to allow a thief to live like a king. (Until the FBI caught up with them that is :) A side note: Before anyone screams about us not contacting these CGI authors - Because of the sheer number of installations and the number of vendors involved, taking this to each one of them would have been prohibitive. We did have a conversation with one (fairly large) commercial vendor (who shall remain nameless) and if the response we got from them was any indication, contacting the remaining vendors would have been futile. This particular vendor couldn't see the problem we had with the software that -they themselves- had installed on behalf of our mutual client. They couldn't understand why we told them to change their software or remove it from the server, even after a long and patient explanation of a little thing called 'liability'. Their tech told me last Wednesday that their engineer would contact us to address these issues - which as of this writing hasn't happened. (Not that I expected one - we had to explain "world readable" to their rep 3 times and I'm still not sure he really understood why this was such a Bad Idea (tm).) We also tried to get the various CC companies involved in this and to be blunt, they practically begged us to go away. This is fairly odd since they are the ones that take the financial hit if these data files are exposed. Visa Fraud's only recommendation to us was to "send a letter to the FTC and let them deal with it". Sorry, but red tape like that is best cut with the press, and they can get a much faster and more effective response from the various vendors than a modest sized ISP in Seattle can. My apologies for the late notice... and now for the standard disclaimer: Opinions expressed here are my own and not neccessarily that of my employer. Cheers. Joe. -- Joe H. Technical Support General Support: support () blarg net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
Current thread:
- NetBSD Security Advisory 1999-009, (continued)
- NetBSD Security Advisory 1999-009 matthew green (Apr 20)
- Bash Bug Shadow (Apr 20)
- Re: Bash Bug Marc Lehmann (Apr 21)
- Re: Bash Bug Pavel Kankovsky (Apr 22)
- Re: Bash Bug Chet Ramey (Apr 22)
- L0pht Security Advisory: Cold Fusion App Server Weld Pond (Apr 21)
- Re: Plain text passwords--necessary Densin Roy. (Apr 19)
- Re: Plain text passwords--necessary Daniel Alex Finkelstein (Apr 19)
- AOL Instant Messenger URL Crash Adam Brown (Apr 19)
- Re: AOL Instant Messenger URL Crash Daniel Reed (Apr 20)
- Shopping Carts exposing CC data Joe (Apr 19)
- Re: Shopping Carts exposing CC data Joe (Apr 20)
- Outlook 98 allows spoofing internal users Nate Lawson (Apr 20)
- Re: Outlook 98 allows spoofing internal users Peter van Dijk (Apr 25)
- Re: Shopping Carts exposing CC data Louis R. Marascio (Apr 20)
- eBay password stealing with JavaScript Michael K. Sanders (Apr 20)
- Re: eBay password stealing with JavaScript Paul Festa (Apr 21)
- Bug in Linux Mount Jacek Konieczny (Apr 20)
- Re: Bug in Linux Mount Meelis Roos (Apr 20)