HQ for Exposed Credit Numbers

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/ebiz/0,1272,44613,00.html

By Michelle Delio 
June 18, 2001

Consumers who refuse to make online purchases for security concerns
have another story to reinforce their fears.

This one involves computer goods site ComputerHQ.com, where a small
mistake in a JavaScript code exposed the credit card numbers and other
personal information of thousands of its customers -- perhaps for as
long as a year.

The programmer who discovered the problem was using a URL the company
included on his invoice when he went to check an order of his own --
and has spent the past few days unsuccessfully trying to get the
company to acknowledge and then fix the hole.

The site was up and down throughout the weekend, but each time it
reappeared, it had the same hole, exposing more than 15,000
transactions.

"This is madness," said Keith Little, a self-employed computer
consultant, who discovered the hole. "The stupidity of this is beyond
belief. Well, OK, I've been around a while. It's not quite beyond
belief."

The security hole was exploitable only if the customer records were
viewed with a browser that had JavaScript disabled. But the URL that
allowed anyone access to the company's customer records is printed on
the bottom of every ComputerHQ invoice.

Little contacted ComputerHQ representatives about the problem on
Saturday and Sunday, and explained that a few simple fixes would
protect the data.

He said each time he spoke with someone at ComputerHQ, the site was
immediately taken offline, only to return a few hours later with the
security hole still intact.

When he noticed that the site was up and running yet again on Monday,
and the data was still exposed, Little was furious.

Wired News' efforts to contact ComputerHQ officials proved fruitless.

Customers whose credit card details were exposed on the Computer HQ
site found it hard to believe that the company had not contacted them
about the problem as soon as Little alerted ComputerHQ about the
security hole.

Jeffrey Jones, a government employee in Carriere, Mississippi, was
"shocked" when contacted and informed that his credit card number, its
expiration date, his home and business addresses and phone numbers and
other details of his order was exposed on the company's website.

"I can't believe this, this certainly isn't the best way to start off
a Monday morning," said Jones.

Matthew Novack, an IBM employee, contacted ComputerHQ on Monday
morning after being notified of the security problem by Wired News.

Novack said that a ComputerHQ manager told him the problem had been
corrected over the weekend.

"But obviously this was not the case since you intercepted my order
this morning at 7:29. He immediately had his developer shut down the
site," Novack said.

The manager then called back Novack and said that "the initial fix
that was implemented on Saturday still had a workaround and that the
final patch was installed at 11:30 and would prevent this workaround."

Novack said that although he appreciated the manager's prompt action
in taking the site offline to protect other consumers, "it still
leaves the question as to the information that was retrieved by you
and possibly others."

As of noon EDT on Monday, none of the 14 ComputerHQ customers who were
contacted by Wired News had received any independent notification from
the company that their data had been exposed on the ComputerHQ
website.

"They should have called in their staff Saturday and started e-mailing
and calling us to let us know that our credit card and other personal
data was on the Web for the world to see," said one ComputerHQ
customer, who requested her name not be used.

Other customers responded with anger when their credit card numbers,
details of their order and their addresses were relayed to them by
phone.

"You hacked into the site, didn't you? How else could you see all this
information? If you didn't hack into it, then someone else did and
you're as bad as them for looking at my information. You should have
just turned the computer off and walked away," said Tom Bellflour, a
ComputerHQ client, who said he ordered products using his girlfriend's
credit card.

Little discovered the hole when a client ordered a hard drive from the
ComputerHQ site and had it shipped directly to Little.

The drive was faulty, and Little returned it for a replacement. Later,
when checking some details of the order, Little noticed that the order
form included a URL that contained the original order number.

"Speculatively, I typed into the location input on my browser that URL
and I found myself looking at the order, complete with all components
purchased, full personal details, credit card number and all," Little
said.

Little then changed the order number in the URL by one digit and saw
someone else's order, complete with credit card number, expiration
date and other personal details. He was able to access dozens of
orders, the earliest dating back a year ago.

At that point, Little said it would have been a trivial task of a few
minutes' work to write a bit of code that could have grabbed all
15,000 plus orders and downloaded them to his hard drive.

"I'd have been insane to do so, of course. I was working from my own
dialup account. On the other hand, I presume these people were so
clueless they may never have known," Little said.

Instead, Little called the company, and asked to talk to the system
administrator about a serious security problem. He was connected to a
supervisor, who insisted that a zip code had to be entered in order to
access customers' records.

Little explained that any Web browser with JavaScripting enabled was
able to view the records without entering the zip code.

The pop-up window, which requested the viewer's zip code as a
password, does not appear when JavaScripting is disabled, and instead
the user is whisked directly to the order forms.

The supervisor followed Little's directions, disabled JavaScripting,
entered an order URL and was able to view the order forms.

"I think I actually heard the blood drain from his face over the
phone," Little said.

Little wonders why a company would use an easily crackable five-digit
number as a password in any case.

"Even if zip codes were required to access specific records, wouldn't
someone have figured out by now that 5-digit numbers most certainly do
not make good passwords?"

Little, along with other technicians who were asked to look at the
site, say the problem is being caused by an ASP page -- Microsoft's
scripted Web page system -- which is intended for use only to print
out orders by staff at the company.

The program passes along the entire customer record when a viewer
requests it, at the exact same time that it is asking for a zip code
as verification of the user's identity by means of a JavaScript pop-up
window.

With JavaScript enabled, which is the default setting on all browsers,
the page remains invisible and only the pop-up is seen.

But if users disable JavaScripting -- as some people do to avoid
pop-ups and other advertising -- the entire customer record is
immediately displayed.

The problem is not inherent in the Microsoft software, but in the way
the system administrator or Web designer of Computer HQ has designed
the site, Little said.

"It's just a matter of how the script is written. Presumably, while
the code that produces the pop-up was made conditional in input (the
lack of a zip code), the actual output of the data was not made
conditional on the same factor."

Little said that this is a fairly simple error to correct, as well as
a simple error to make -- an issue that concerns him.

"It is conceivable that whoever designed their system has also
designed others. I haven't looked over their site nor examined the
code of their pages to see if they use some outside service for their
site's management."

Little said the earliest order he was able to view was No. 1301, dated
July 2000.

Little said that if he was able to figure out how to enter the
database, chances are other people could have figured out they just
needed to disable JavaScript, too.

"(Computer HQ) was sending out the exploitable URL on every invoice
they shipped. It would truly be a miracle if no one discovered it
before I did."




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.