From: William Knowles (wkC4I.ORG)
Date: Thu Apr 27 2000 - 14:46:37 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.wired.com/news/politics/0,1283,35954,00.html

by Declan McCullagh

8:00 a.m. Apr. 27, 2000 PDT

(Editor's note: This story has been modified since its initial
posting. The original publication of this story included the password
in question.)

Thousands of credit card numbers stored on e-commerce websites are
available to anyone with a backdoor password, a British consulting
firm has discovered.

Cerberus Information Security said on Thursday it found a secret
password that allows someone connecting to a website running "Cart32"
shopping cart software to gain access to the server.

McMurtrey-Whitaker, the Springfield, Missouri firm that sells Cart32,
confirmed the backdoor -- which can reveal such data as credit card
numbers, order information, and shipping addresses -- and said they
would distribute a repaired version of the program next week.

Hundreds of small-to-medium websites, including Jazzworld.com,
MusicWorld CD, ComputerShop.com, Wirelesstoys.com, and
ChocolateVault.com, use Cart32 shopping software, which runs on
Windows 95 and Windows NT machines.

"We've been notified of it," said Matt Humes, a technical support
representative at McMurtrey-Whitaker.

Right now, Cart32 administrators can edit the executable file and
manually delete the password to close the security hole. "By Monday
[or] Tuesday, there's going to be a much easier fix to make everything
completely secure," Humes said.

Larger firms like Amazon and CDNow tend to use custom shopping cart
software. Smaller ones turn to programs like Cart32, or competitors
like WebGenie Software's shopping cart, Open Market's ShopSite, or
Mercantec's SoftCart.

The Cart32 password could have been inserted by a malicious
McMurtrey-Whitaker employee who hoped to steal credit card numbers, or
the firm could intentionally have enabled it so their technical
support staff could fix customers' problems from afar.

McMurtrey-Whitaker said that the vulnerability was included in earlier
versions of Cart32, which means that anyone who knew the password
could have had access to sites' personal information for at least a
year.

Cerberus' David Litchfield said he stumbled across Cart32 after seeing
a banner ad for the product, and decided to explore its potential
vulnerabilities on Wednesday evening.

"My brother and I spent about two hours looking at it (before we
discovered the backdoor)," Litchfield said. "I'm extremely surprised
that it's in there."

Litchfield said his eight-person security consulting firm has released
eight security advisories this year, and they decided to publish the
password because of the magnitude of the problem.

To gain access to customer files, an attacker could use the password
to alter the shopping cart to leak information when users connect to
the site. Cerberus said it also discovered a way to change Cart32's
administrative password without knowing what the original one was.

Litchfield also found some odd information about the program's
designers embedded in the 700KB cart32.exe file. One example: "My Name
/ Bryan L. Whitaker / My Wifes Name / Melissa K.Whitaker and Kaylee
(our baby)."

One expert criticized the company's planned bug fix as unduly tardy.

"If they're waiting until Tuesday or Wednesday to fix this problem,
that's definitely a bad idea. It doesn't take a genius to figure out
what's going to happen all weekend," said Steve Manzuik, the moderator
of Win2K Security Advice, referring to malicious hacker attacks.

*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]