Full Disclosure mailing list archives
Chapters/Indigo Website Personal Information Leak
From: "Eric Paynter" <eric () arcticbears com>
Date: Wed, 7 Jul 2004 15:26:33 -0700 (PDT)
I. SUMMARY The Chapters/Indigo website (http://www.chapters.indigo.ca/) is vulnerable to user name guessing at the login screen and personal information leaks (name and address) in the Wish List function. II. BACKGROUND Chapters/Indigo is the largest book vendor in Canada, having over C$800M in annual revenue in the 12 months ending April, 2004. The www.chapters.indigo.ca website offers books, CDs, DVDs, videos, and a variety of gifts and jewelry for sale over the Internet. III. IMPACT Determining a matching username and password is very difficult. However, guessing one or the other on its own is several orders of magnitude easier. The system is nice enough to allow an attacker to work first at getting user names, and them to attempt to guess passwords for the valid names. Once a valid combination is found, the attacker has full access to the user's account and can order items, have them shipped to alternate overseas addreasses, steal credit card information, etc.. A wish list is keyed to an email address. If an attacker knows a user's email address, they can use the wish list to determine the user's full name and address. There is no warning that the website will give out this information to arbitrary third parties. As a matter of fact, when the user enters their personal information, they are repeatedly assured that their personal information will be secure. III. VENDOR NOTIFICATION Chapters/Indigo was originally notified in November, 2003. There was some discussion via email in an attempt to convince them that this was not simply a user error. After several exchanges, they still would not acknowledge that there was a problem, but they did indicate that management had been informed of the situation and that the website would be updated to be more "user friendly". As of July 6, 2004, the problems still exist. IV. SAMPLE EXPLOITS 1. User Name Leak in Login Screen User names at www.chapters.indigo.ca are based on email addresses. At the login page, by typing in a valid email address and invalid password, the error "the password entered is not correct" is displayed. If an invalid email address and some random (non-blank) password in entered, the error "the e-mail address provided cannot be found" is displayed. 2. Personal Information Leak it Wish List Function Equiped with a list of valid user names, an attacker may be able to obtain additional personal information about users. If a user has created a Wish List, then anybody can view it, simply by entering the user's email address. The wish list not only displays the user's list of desired products, it also allows anybody to purchase those products for the user. If an item is selected from the Wish List and then the attacker proceeds to "check out", the website will display the user's full name and address as confirmation of the destination for shipping. This is *not* the name and address from the attacker's profile. This is the name and address of the Wish List owner, which was obtained simply by knowing the user's email address. V. WORKAROUNDS 1. User Name Leak in Login Screen Find a new online retailer for your books etc.. 2. Personal Information Leak it Wish List Function Remove the shipping address from the wish list. This can be done by following the "manage wish list" link. The default is to present the user's last used shipping information, but this can be overridden to be any arbitrary address, including null. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Chapters/Indigo Website Personal Information Leak Eric Paynter (Jul 07)
- Re: Chapters/Indigo Website Personal Information Leak Eric Paynter (Jul 09)