Net site holes confirm fears

Shoppers' fears about giving out sensitive information over the Web may be justified after all, and small businesses may be the culprits. Incorrectly configured proprietary shopping carts on some e-commerce sites are exposing customers' names, passwords, credit card information, what they ordered and how they paid for it along with mailing addresses. The good news: no one can think of a New Zealand site using one of the carts in question.

Shoppers' fears about giving out sensitive information over the Web may be justified after all, and small businesses may be the culprits.

Incorrectly configured shopping carts on some e-commerce sites are exposing customers' names, passwords, credit card information, what they ordered and how they paid for it along with mailing addresses.

The problem was brought to light by Joe Harris, systems administrator at US Internet service provider Blarg Online Services, and was reported on the Bugtraq newsgroup.

"If your users have third-party shopping carts installed on your servers, please run an audit on the files they generate and maintain," Harris warned other ISPs. The six shopping carts in question — WebStore 1.0, Order Forms 1.2, EZMall 2000, QuikStore, PDG Shopping Cart 1.5 and SoftCart — generate reports that are filed in an unencrypted manner and are accessible from any common browser. Larger e-commerce sites tend to write their own shopping cart applications, and the warning only points to sites that have incorrectly configured their shopping carts, says Harris. "Under no circumstances should any of the carts listed [above] be blacklisted or considered unsafe," says Harris. It's simply a matter of incorrect configuration or poor maintenance.

New Zealand e-commerce sites should have escaped this problem, says Telecom's spokesperson, Glen Sowry.

"Any site built using [Xtra's] Business Builder will be alright as it is based on Intershop, which uses a proprietary cart application." Other developers contacted by Computerworld agreed — none could think of a New Zealand site using one of the listed shopping carts.

The six shopping carts showed up in over 100 US-based e-commerce sites, including Home Gardener Direct, which was unaware of any problem.

"You've caught us with our pants down," says Rick Grossman, sales manager with GrowerNet which designed Home Gardener Direct.

The LA Times reports that it has been able to download more than 100 Web pages of phone numbers, credit card numbers, email addresses and the like from sites it tested. The problem occurs when the shopping-cart software creates a file that's left on the Web unencrypted.

"I don't think most companies see the magnitude of this. They have to take action very quickly," says Tara Lemmey, president of San Francisco's Electronic Frontier Foundation.

The LA Times also reports that at least two shoppers who used one of the sites have had their credit card numbers stolen and used illegally.

Harris' advice to anyone using these applications – "Any clear-text order information must be immediately removed or have access restricted". He believes e-commerce sites should have no unencrypted information stored on their servers.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]