Microsoft closes window to customer data

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1005-200-7475010.html?tag=mn_hd

By Paul Festa
Staff Writer, CNET News.com 
October 10, 2001, 11:50 a.m. PT 

Microsoft moved swiftly this week to close a security gap in its
customer service Web site that let anyone with a browser view
customers' sales records and other confidential information.

The software giant had left a search database exposed without security
protections. The address of the customer service page was unpublished,
but by altering the numerical IP (Internet Protocol) addresses of
known Microsoft Web sites, a security enthusiast located it and found
himself with access to an unknown number of customer service records.

Each exposed record included the customer's name, purchasing history,
shipping address, billing address, phone numbers, e-mail address and
credit card type. It did not include the actual credit card number.

"We were notified of this, we fixed the problem, and we're reviewing
our internal systems to make sure proper procedures are followed to
make sure this doesn't happen again," Microsoft representative Jim
Desler said Wednesday. "This was a case of human error, and we will
remain vigilant in our efforts to protect customer information and
will not accept any breakdowns or failures in this process."

Adrian Lamo, who discovered the unprotected page, has exposed other
embarrassing security gaffes by Internet giants. Last month, Lamo
succeeded in breaking into Yahoo's news production tools and altering
news stories. Prior to that, Excite@Home credited him with helping
them shore up their customer records, which had been vulnerable to
exposure.

Lamo said Microsoft fixed the hole within an hour of notification by
news Web site NewsBytes.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.