Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: Backdoor in e-commerce site software exposes credit card numbers

From: Declan McCullagh <declan () well com>
Date: Thu, 27 Apr 2000 14:42:45 -0400

http://www.wired.com/news/politics/0,1283,35954,00.html

   Backdoor Exposes Credit Cards
   by Declan McCullagh (declan () wired com)

   8:00 a.m. Apr. 27, 2000 PDT
   Thousands of credit card numbers stored on e-commerce websites are
   available to anyone with a backdoor password, a British consulting
   firm has discovered.

   Cerberus Information Security said on Thursday it found a secret
   password that allows someone connecting to a website running "Cart32"
   shopping cart software to gain access to the server.

   McMurtrey-Whitaker, the Springfield, Missouri firm that sells Cart32,
   confirmed the backdoor -- which can reveal such data as credit card
   numbers, order information, and shipping addresses -- and said they
   would distribute a repaired version of the program next week.

   Hundreds of small-to-medium websites, including Jazzworld.com,
   MusicWorld CD, ComputerShop.com, Wirelesstoys.com, and
   ChocolateVault.com, use Cart32 shopping software, which runs on
   Windows 95 and Windows NT machines.

   "We've been notified of it," said Matt Humes, a technical support
   representative at McMurtrey-Whitaker.

   Right now, Cart32 administrators can edit the executable file and
   manually delete the password to close the security hole. "By Monday
   [or] Tuesday, there's going to be a much easier fix to make everything
   completely secure," Humes said.

   Larger firms like Amazon and CDNow tend to use custom shopping cart
   software. Smaller ones turn to programs like Cart32, or competitors
   like WebGenie Software's shopping cart, Open Market's ShopSite, or
   Mercantec's SoftCart.

   The Cart32 password, "wemilo," could have been inserted by a malicious
   McMurtrey-Whitaker employee who hoped to steal credit card numbers, or
   the firm could intentionally have enabled it so their technical
   support staff could fix customers' problems from afar.
[...] 
--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: