Re: A little guidance...

[sec () ORGONE NEGATION NET (Jason Storm)]

if you have already alerted the vendor, post the attack.

probable case scenario:
vendor scoffs and says "this isnt our problem".

vendor2 says "whoa.. this works on our software as well, lets make it
not work."

vendors3 4 and 5 impliment vendor 2's fix.

vendor1 goes out of business and you get to mock them.

a lot.

-jason storm

On Wed, 31 May 2000, Bill Pennington wrote:

> Let me clear a few things up since after reading my original message
> again I seemed to be much to vague.
>
> The issue I have uncovered is directly related to implementation, not a
> flaw in software (as far as I can tell). The site in question does pass
> all CC#s over SSL, no CC#s are passed in clear text. There are things
> passed in clear text that enable you to "high jack" a web page that
> displays the CC#. It is basically substituting strings in a URL. Nothing
> earth shattering to most of us I would think. Possibly helpful to clue
> less people, I dunno.
>
> Thanks for all your comments/suggestions so far!
>
>
> John Kinsella wrote:
> > Unfortunately the clueless will never figure it out until you shove it
> > in their face...some of the really sharp guys out there may have figured it
> > out as well.  Alot of people in the middle who haven't thought of it yet
> > or don't have the time to beat on all the doors themselves may thank you
> > for quite a while...
> >
> > Where I think it's most important to disclose stuff like this is
> > because it may get somebody else's mind thinking, and allow a
> > discovery of either the same type of problem in another product, or
> > maybe something on a complete different tangent altogether.  I hope it's
> > safe to say that most of us have our methods for dealing with "too much"
> > information, so give us what ya got. :)
> >
> > John
> >
> > On Tue, May 30, 2000 at 01:09:25PM -0700, Bill Pennington wrote:
> > > I have uncovered a flaw in a particular web site that allows you to
> > > steal CC#s of unsuspecting victims. In order to exploit this you must be
> > > able to sniff traffic that is going between the users machine and the
> > > web site in question.
> > >
> > > My question is, should I even bother putting this out? I researched some
> > > archives and while I found a number of e-commerce shopping cart
> > > vulnerabilities, none mentioned this particular method. I have contacted
> > > the site in question but they seem to be clueless. ("All CC#s are over
> > > SSL so we are safe!!" argg!) So is the fact you need a sniffer (or a
> > > proxy server would work as well I guess, hmmmm) to exploit this make it
> > > not "worthy"? It seems more and more devices are sniffing/capturing
> > > network traffic these day (IDS, proxies, bad guys...) so it seems to be
> > > a legitimate concern to me.
> > >
> > > --