Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Eve.com scrambles to assess security breach

From: InfoSec News <isn () C4I ORG>
Date: Thu, 14 Sep 2000 10:44:01 -0500
http://news.cnet.com/news/0-1007-200-2770505.html?tag=st.ne.1007.thed.ni

By Troy Wolverton and Stefanie Olsen
Staff Writers, CNET News.com
September 13, 2000, 5:20 p.m. PT

Eve.com today temporarily shut down its Web site after a security
breach exposed customer order information on thousands of orders
dating back to last year.

Discovered by San Francisco Bay Area software developer Jonathan Khoo,
the breach allowed customers to view other people's orders by simply
changing a number in the URL. The breach exposed customers' names and
addresses, products and the dates on which they were ordered, the
types of credit cards customers used, and the last five digits of the
cards' numbers.

"You'd think they would check to see if each page was an order you
placed as opposed to anyone else's order," Khoo said. "This shouldn't
be happening."

Alerted to the problem by CNET News.com, Eve.com took its Web site
down sometime between 2:30 p.m. and 3:30 p.m. PT. As of 5:20 p.m., the
site was still down.

"Privacy and security is and has always been the No. 1 priority for
Eve," Dan McMahon, Eve.com's executive vice president of technology,
said in a statement. "We are very concerned about customers' privacy
and take these matters very seriously."

The breach follows closely on the heels of several other recent
privacy problems. Last week, IKEA shut down its catalog order site
after a privacy breach exposed customer order information. And a
glitch at Amazon.com last week exposed the email addresses of many of
its Affiliate members.

The problem at Eve.com, an Internet beauty-products retailer,
potentially exposed the company's entire order history. A random check
by CNET News.com revealed some 168,000 orders dating back to May 31,
1999.

San Francisco-based Eve.com, which is backed by Idealab, officially
opened for business in June 1999.

Khoo said he discovered the problem yesterday while checking the site
for the status of his own order.

The security breach at Eve.com is similar to one discovered last year
at e-tailer Netmarket.com. As with the Eve.com breach, the one at
Netmarket involved customer order numbers incorporated into a URL.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: