FTD.COM Security Bulletin (updated)
From: Gerald Quakenbush (geraldq@QUAKENBUSH.COM)
Date: 02/12/03
- Previous message: Kurt Seifried: "Re: Windows Update (again) unavailable for non Internet Explorer users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Feb 2003 14:35:42 -0500 From: Gerald Quakenbush <geraldq@QUAKENBUSH.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
SECURITY ADVISORY
FTD.COM Leaks Credit Card Numbers to the Internet
Gerald Quakenbush, CISSP, NSA-IAM
February 12, 2003
Overview
Serious security flaws exist in the way the popular www.ftd.com web site is
configured and in its software that allows any hacker with kindergarten
level skills to retrieve information, unauthorized, from the site. It is
trivial to retrieve customer data, including credit card numbers, expiration
dates, account names, shipping addresses and anything else FTD knows about
the consumer.
Details
Two errors combine to make this a very serious, very urgent issue. First,
FTD has very deeply flawed session tracking logic. Secondly, server
configuration flaws allow users to connect without using SSL. These issues
are independent of each other; however, the ability to connect without SSL
simplifies the attack.
The session logic is deeply flawed. The session logic is about as simple as
session logic can get – they use an integer to track unique visitors and the
integer is simply incremented from one user to another. In order to retrieve
someone else’s confidential information (yes, their credit card number among
other things) one only needs to transmit a simple request and vary a cookie
value in order to read client data.
Status
FTD has been contacted and advised of the issue. Due to the simplicity of
exploiting the attack, it was deemed necessary to alert friends, family,
country and planet to the risk.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Ben Reardon: "Symantec AV signature corruption"
- Previous message: Kurt Seifried: "Re: Windows Update (again) unavailable for non Internet Explorer users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
