OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gerald Quakenbush (geraldq_at_QUAKENBUSH.COM)
Date: Wed Feb 12 2003 - 13:35:42 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    SECURITY ADVISORY

    FTD.COM Leaks Credit Card Numbers to the Internet
    Gerald Quakenbush, CISSP, NSA-IAM
    February 12, 2003

    Overview
    Serious security flaws exist in the way the popular www.ftd.com web site is
    configured and in its software that allows any hacker with kindergarten
    level skills to retrieve information, unauthorized, from the site. It is
    trivial to retrieve customer data, including credit card numbers, expiration
    dates, account names, shipping addresses and anything else FTD knows about
    the consumer.

    Details
    Two errors combine to make this a very serious, very urgent issue. First,
    FTD has very deeply flawed session tracking logic. Secondly, server
    configuration flaws allow users to connect without using SSL. These issues
    are independent of each other; however, the ability to connect without SSL
    simplifies the attack.

    The session logic is deeply flawed. The session logic is about as simple as
    session logic can get – they use an integer to track unique visitors and the
    integer is simply incremented from one user to another. In order to retrieve
    someone else’s confidential information (yes, their credit card number among
    other things) one only needs to transmit a simple request and vary a cookie
    value in order to read client data.

    Status
    FTD has been contacted and advised of the issue. Due to the simplicity of
    exploiting the attack, it was deemed necessary to alert friends, family,
    country and planet to the risk.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo