Auckland-based IT distributor Renaissance says it has repaired an embarrassing flaw in its electronic commerce Web site, but the resellers who use the online shop remain unhappy.
The Renaissance site has been operating since March last year and the fault may have been present the entire time. It allowed anyone with a valid ID and password to log onto the site and access the invoices of any Renaissance customer by simply changing the customer invoice number at the end of one of the URLs generated by the Active Server-based site.
It is considered bad practice in e-commerce to display sensitive information, such as actual invoice numbers in a URL. The site, designed by Auckland's Glazier Systems, does not use encryption or check the account details being accessed against the account on which a user logged in.
Renaissance wasn’t aware of the problem until IDG's Reseller News brought it to the company’s attention last week. Operations manager John Hayson says it has now been fixed.
But that hasn’t laid resellers fears to rest. "I would be very concerned if our company's information was compromised in any way," says Eagle Technology financial controller Nigel Dearns.
Bill Armour, Wellington-based chief financial officer of ComputerLand, is similarly unimpressed, saying it would be a major concern if the integrity of his company's information was compromised.
And the managing director of Auckland-based Logical Systems, Daven Naidu, says if Renaissance wants resellers to do business with it online, it should provide them with complete security.
The hole was discovered by a Renaissance dealer.
"Renaissance prides itself on its eCommerce system, but security isn't a strong point on its site. If you want to find out what your competition is paying for iMacs or any other product, the door is wide open," says the dealer, who doesn’t want to be identified.
Renaissance’s John Hayson admits there was a security problem and the company wasn't aware of it until last week. "We have now fixed the problem and now users of the site can't have access to other users’ invoices," says Hayson.
Hayson doesn't know for how long the security hole existed, but says it could have been there from late last year, when customers gained the ability to access their invoices from the site.
"Nobody pointed it out to me until you did, so we weren't aware of it at all," he told Reseller News. "Security on the Internet remains our paramount concern, and we try our best to provide the best security, but when something as new as eCommerce is launched, there are bound to be some problems," says Hayson.
He points out that any customer who managed to access another customer’s information wouldn’t have been able to do so accidentally. "It had to be intentional because he or she would need to have a high level of understanding of the browser," he says.
However, the dealer who alerted Reseller News to the security lapse says its discovery was accidental and he had no intention to expose private or sensitive information.
Wellington-based reseller Graham Chiu, of CompKarori, who launched an attack on distributor Web sites last year saying they were too slow, says the Renaissance lapse calls into question the security of sensitive information like credit card details. "Also this is new and we don't have robust enough technology nor the level of expertise for security needed for e-commerce," Chiu says.
Axon ComputerTime managing director Matt Kenealy is directly critical of the Renaissance site, saying Axon decided not to use the site because it didn't feel it was sound. "We had to reject it because at the time we didn't feel the site was good enough for what we wanted," says Kenealy.