[Fwd: FW: Shopping Carts exposing CC data]

[Steve Cockwell <stevec@sierra.lazarus.ca>]

******    message to minivend-users from Steve Cockwell <stevec@sierra.lazarus.ca>     ******

I received this today, but haven't yet investigated it further - I
thought the people on this list might find it interesting.  I doubt that
minivend would be included in this list (knowing what little I do about
how it handles CC Info) but maybe Mike could make some sort of official
comment about how secure CC info is in Minivend, and what a stupid
person would need to do to make CCs world readable... :-)

We sure didn't need this kind of info at this stage in the on-line game,
but as always - give a monkey a powerful tool and you've got a recipe
for disaster.

.src (feeling critical and having a tough day...)


> Tomorrow ( April 20 1999 ) CNet's news.com should be running a story
> regarding various commercial and freeware shopping carts that, when
> installed incorrectly or when installed by amateurs, result in the
> possible exposure of customer information... and not just a few digits of
> a credit card number like Yahoo's latest goof - everything is exposed.
> Name, CC Numbers, home address, phone number, what they ordered, how much
> they paid etc etc etc.
> 
> These various shopping carts create world readable files in the web
> server's document tree which have subsequently been indexed by numerous
> search engines.  (If a cold chill didn't just run down your spine, please,
> check your pulse)
> 
> To access this order information you need a search engine and a little
> knowledge of how these various shopping carts are structured.  Since some
> are freeware and the commercial carts have downloadable demos, this is
> trivial information to obtain.
> 
> This email is a heads up to system administrators and hosts.  These
> exposed order files were found by common search engine techniques and I
> suspect that after this story hits, those files are going to be even more
> vulnerable than they already are.
> 
> If your users have 3rd party shopping carts installed on your servers,
> please run an audit on the files they generate and maintain.  Any
> clear-text order information available to or stored in your web servers
> document tree should be immediately removed or have their access
> restricted.  This is common sense to most of us here however, like most
> hosts, we don't always know what security nightmares our users have
> created for us and for themselves.
> 
> I am hesitant to list the shopping carts that I've found to be exposing
> information, for fear of giving too much information to the wanna-be
> thieves out there.  Please contact me directly if you want specifics. The
> list is very short, however, about 100 exposed installations of these
> carts have already been found and there are undoubtably hundreds more that
> I haven't found.  Some of these sites are doing a great deal of business
> and some are doing none at all - but all of them are exposing order
> information.  On one site alone was enough data to allow a thief to live
> like a king. (Until the FBI caught up with them that is :)
> 
> A side note:  Before anyone screams about us not contacting these CGI
> authors - Because of the sheer number of installations and the number of
> vendors involved, taking this to each one of them would have been
> prohibitive.  We did have a conversation with one (fairly large)
> commercial vendor (who shall remain nameless) and if the response we got
> from them was any indication, contacting the remaining vendors would have
> been futile.  This particular vendor couldn't see the problem we had with
> the software that -they themselves- had installed on behalf of our mutual
> client.  They couldn't understand why we told them to change their
> software or remove it from the server, even after a long and patient
> explanation of a little thing called 'liability'.  Their tech told me last
> Wednesday that their engineer would contact us to address these issues -
> which as of this writing hasn't happened.  (Not that I expected one - we
> had to explain "world readable" to their rep 3 times and I'm still not
> sure he really understood why this was such a Bad Idea (tm).)
> 
> We also tried to get the various CC companies involved in this and to be
> blunt, they practically begged us to go away.  This is fairly odd since
> they are the ones that take the financial hit if these data files are
> exposed.  Visa Fraud's only recommendation to us was to "send a letter to
> the FTC and let them deal with it".  Sorry, but red tape like that is best
> cut with the press, and they can get a much faster and more effective
> response from the various vendors than a modest sized ISP in Seattle can.
> 
> My apologies for the late notice... and now for the standard
> disclaimer:
> 
>   Opinions expressed here are my own and not neccessarily that of my
>   employer.
> 
> Cheers.
> 
> Joe.
> 
> --
> Joe H.                                  Technical Support
> General Support:  support@blarg.net     Blarg! Online Services, Inc.
> Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net
-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list