The BugEyed Review Blog

News, views and reviews by your average Joe on the street. No, my name is not Joe.

«
»

Poor website security

Posted by Bug-E on April 7th, 2006

No, not mine. On a site that I used recently to purchase a music CD from, here in South-Africa.

Two days ago I ordered a single music CD from an online music website, quite a reputable one too I might add. Large chain. I won’t mention names, I’m sure the interested reader will figure it out. Developers with complete lack of security knowledge coded that site it looks like.

First off, their login procedure doesn’t take you through an SSL‘d connection, so we have username and password being sent cleartext. So there already, if somebody had to sniff some traffic, my personal details, including my home address and cellphone number, are open for reading. This is not so much a big problem as the next problem is.

Next, after confirming that the site at least goes to an SSL’d page when entering my credit card details, and at least it does a POST to a secure page, after confirmation of the payment, I get redirected to a URL along these lines:

http://www.xxxxxxxxxx.co.za/xxxxxxxxxx/invoice.asp?OrderID=12345

“That’s nice” I thought to myself. A nicely formatted, printable invoice, with my delivery details, phone number, etc. on. At first I didn’t notice the URL, but once I did, I thought “Hmmmmm, surely not?!” I changed the URL to have an order ID one less than that of my own, and voila, I find that Mr John Doe ordered several “Treffers” CDs, delivered to his house in Centurion. I have his name, address, and phone number.

This is horrible! I can’t believe that a company like this large chain company would actually allow somebody with such a total lack of the most basic web-security knowledge or savvy, to actually code their site. Or, at best, allow a total security-knowledge-lacking system administrator to implement such a poor piece of code. Granted, it’s nice-ish looking, but good god, this is pathetic!

I’m e-mailing them, hoping that they would fix the problem Real Soon, as I can’t be the first person to notice this… The internet is not in an infantile state anymore, and one would expect to find a little bit better coding going on! Hell, even a simple “Is this user logged in?” check in the code would have been a good start, but you don’t need to be logged in to harvest all their order details.

*sigh* I don’t know why I’m surprised at these things anymore…

Tags: , ,

This entry was posted on Friday, April 7th, 2006 at 15:02:44 and is filed under Views, Websites. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

«
»