Team Asylum: Online renewal sites susceptible to spammer "harvesting"

["Mailer" <security () team-asylum com>]

Team Asylum Security
Copyright (c) 2002 By Team Asylum, Inc.
http://www.team-asylum.com
Source: Don Sausa [don () team-asylum com]
Alert Date: 02/04/2002
Release Date: 03/26/2002

Summary
-------
Several magazines that have online renewal sites are vulnerable to having
their mailing list compromised.

Affected
--------
InfoWorld, VARBusiness, and other magazines that have online renewal sites
are vulnerable.  A company called
Bellevue Data Communications administers the majority of these online
renewal systems.

Alert Description
-----------------
All customers are assigned with subscription IDs.  These subscription IDs or
codes usually are 9 to 10 digits long.
Each subscription ID represents a customer record.  On the renewal systems
of many companies, you can pull up
customer information by simply inputting a subscription ID.  Personal
information such as e-mail addresses and
postal mailing addresses can be compromised.  Furthermore, the renewal forms
are susceptible to brute force attacks.

Fixes
-----
1. Stop brute force attacks.  Don't give unlimited guesses.
2. Use additional authentication such as username and password, or e-mail
address before revealing contact information.

Vendor Alerts
-------------
The problem was discovered on February 4th, 2002.  E-mails were sent to the
editors (among other contacts) on
February 5th, 2002 with proposed fixes and solutions to the problem.  As of
March 26th, 2002, no action has been
taken.