Politech mailing list archives
FC: Backdoor in e-commerce site software exposes credit card numbers
From: Declan McCullagh <declan () well com>
Date: Thu, 27 Apr 2000 14:42:45 -0400
http://www.wired.com/news/politics/0,1283,35954,00.html Backdoor Exposes Credit Cards by Declan McCullagh (declan () wired com) 8:00 a.m. Apr. 27, 2000 PDT Thousands of credit card numbers stored on e-commerce websites are available to anyone with a backdoor password, a British consulting firm has discovered. Cerberus Information Security said on Thursday it found a secret password that allows someone connecting to a website running "Cart32" shopping cart software to gain access to the server. McMurtrey-Whitaker, the Springfield, Missouri firm that sells Cart32, confirmed the backdoor -- which can reveal such data as credit card numbers, order information, and shipping addresses -- and said they would distribute a repaired version of the program next week. Hundreds of small-to-medium websites, including Jazzworld.com, MusicWorld CD, ComputerShop.com, Wirelesstoys.com, and ChocolateVault.com, use Cart32 shopping software, which runs on Windows 95 and Windows NT machines. "We've been notified of it," said Matt Humes, a technical support representative at McMurtrey-Whitaker. Right now, Cart32 administrators can edit the executable file and manually delete the password to close the security hole. "By Monday [or] Tuesday, there's going to be a much easier fix to make everything completely secure," Humes said. Larger firms like Amazon and CDNow tend to use custom shopping cart software. Smaller ones turn to programs like Cart32, or competitors like WebGenie Software's shopping cart, Open Market's ShopSite, or Mercantec's SoftCart. The Cart32 password, "wemilo," could have been inserted by a malicious McMurtrey-Whitaker employee who hoped to steal credit card numbers, or the firm could intentionally have enabled it so their technical support staff could fix customers' problems from afar.[...]
-------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ --------------------------------------------------------------------------
Current thread:
- FC: Backdoor in e-commerce site software exposes credit card numbers Declan McCullagh (Apr 27)