Lame computerHQ.com security exposed: wired

Navigation

User login

GWT in Practice at Manning
GWT in Practice at Amazon
GWT Resources

Unlocking Android at Manning
Unlocking Android at Amazon
Android Resources

Quote

Alfred Lord Tennyson

All men dream; but not equally. Those that dream at night in the dusty recesses of their minds wake in the day to find that it was vanity. But the dreamers of the day are dangerous men; for they may act their dream with open eyes, and make it possible.

Lame computerHQ.com security exposed: wired

Tue, 06/19/2001 - 08:04 — charlie.collins

ComputerHQ.com's lame lack of security in a piece of Javascript exposed users credit cards for over a year (never use Javascript for anything security related, actually lets go one step further, never use client side for anything you must ensure the integrity of, look, action, security, etc.)

A programmer whom used the site found the problem and alerted the site operators. They have reacted and claim to be fixing the site. Even getting a response, much less a resolution is impressive but there is still no excuse for this serious of a problem.

The problem is related to a piece of Javascript on an ASP page. Security nightmare all around, Javascript, ASP, IIS, look out. The problem is actually not with a product though, it is with how things were configured and how the script was written. By far the largest security threat on any computer system is configuration error or flat out misunderstanding of how things work. You would be AMAZED at how easy it is to get information like credit card numbers using simply popular search engines (you really dont have to get more complicated, configuration problems are rampant, many companies and or the individuals they hire do not have the know how and the time to be engaged in setting up infomation sensitive systems, but they do.)

I have found issues with a few sites while just perusing them. I generally mention it (uh, your password for the secure section is in the source) and nobody cares. My personal recourse is that I dont go there anymore, I dont shop there, etc. In fact I make it a recommendation to not shop on any server running IIS (because of all of the egregious security problems.)

(The real solution to this problem is to make the information itself useless to unauthorized users. Thats not so hard to do. Require a PIN with a credit card, require some other second form of authentication. Credit card companies and other entities in charge of supposedly sensitive personal numbers need to enact greater fraud measures, I should be able to give my damn credit card number to everyone, broadcast it, and still no one should be able to use it, thats another discussion, but its worth mentioning.) HQ for Exposed Credit Numbers