Auctions close major security hole

Hundreds and perhaps thousands of credit card numbers, home addresses, and phone numbers were exposed for months through a gaping security hole on many small Internet auction sites, raising serious questions about the effectiveness of online safeguards, CNET News.com has learned.

Security experts said the problem was especially alarming because, unlike more technically complicated software problems, this one left records exposed to virtually anyone who happened to click on the right Web page listings.

Records at several sites using older versions of the same auction software were exposed when administrators either did not secure their sites with keys or otherwise failed to use the software properly. The risk varied from site to site, ranging from data immediately accessible with a few mouse clicks to information obtainable through rudimentary hacking.

The sites known to have used the software belong to small and medium-sized businesses, in some cases stores trying to capitalize on the e-commerce boom by running their own online auctions. Large auction sites such as eBay, which is going public today, generally use proprietary software for security and were not affected by the problem.

Administrators of several of the sites secured their systems after being informed of the breaches by News.com. But security experts remain troubled by the ease in which sites became vulnerable, fearing that such incidents will stunt the growth of electronic commerce by confirming the worst fears of a public already skeptical of Internet security.

"It's terrible when anybody can browse a site and get customer credit card numbers," said David Kennedy of the International Computer Security Association. "From the individual's perspective, this is bad but not terrible because in almost every case individuals are protected by their credit card company, and the most they're liable for [generally] is $50."

However, he added: "From the business perspective, this is horrible."

Credit card numbers were not the only information available. One site, for example, also exposed the names, postal and email addresses, phone numbers, and passwords of more than 100 customers. The same type of information was available--although not as readily--on other sites as well.

The security hole was discovered by Mark Dodd, who runs a site called AuctionWatch. While conducting a routine search for his domain name to find how it was listed by engines, he came across an intriguing link that led to an index of an auction site. He clicked and found that, by manipulating a simple URL, he could get full access to administrative controls of several sites containing thousands of records.

The first site in question--a small coin-collector auction business called Williams Gallery, based in Montana--was using an earlier version of software from a company called OpenSite, which has been engaged in a dispute with Dodd over use of the domain name "www.auctionwatch.com." OpenSite uses the name AuctionWatch in its software, so its URL came up in his search.

Despite that conflict, Dodd said he stumbled across the security hole by accident. "I wasn't even looking for it," he said in an interview. (In verifying the breach, News.com also viewed many of the record listings, all on the public Web, but did not download any specific information.)

OpenSite founder and chief executive Michael Brader-Araje insists that his company is not to blame for the problems, saying that the software in question was sold with instructions on protecting passwords. In more recent versions of the product, he said, password protection is provided by default, and eventually customers will be required to have the safeguards in place before they can even install the software.

"This is not a consequence of our software," Brader-Araje said. "This is the consequence of an inexperienced Web server administrator. The bottom line is we don't have control over what our customers do with their Web servers."

Regardless of who ultimately bears responsibility, experts say security holes that readily expose personal data may not be as rare as many might hope. Unlike more established businesses that handle sensitive information, many Internet companies are using relatively untested technologies and operating without the same level of regulatory scrutiny.

With heightened concerns about identity theft, the Federal Trade Commission has probed Net privacy for more than two years, but the agency and the White House have endorsed only new laws to better protect children's online information.

"This points to the immaturity of the Internet as an electronic commerce platform," said Victor Wheatman, vice president of information security services at the Gartner Group research firm. "Also, it points to the immaturity of some of the companies that are bringing their product to market and positioning themselves for less than technically sophisticated people."

Ted Julian, a security analyst with Forrester Research, took a long view. "I think it's part of the evolutionary process that we're going through since we're at the early stages of the market. What's the alternative? You wait until all these things are taken care of? By then, how many competitors have you ceded your market to?"

Those are precisely the kinds of concerns faced by the Williams Gallery. Dan Wahrer, who runs the coin auction site, said he had installed an early version of the OpenSite product but hadn't even used the site for about eight months because it had been having trouble drawing traffic. He uses a much larger coin-collecting auction site to peddle his goods.

Wahrer, who was unaware of the problem until contacted by News.com, immediately had the site taken down. A relative novice at the Internet, he was understandably alarmed.

"If you can get into it as easy as you say you can, something's wrong," Wahrer said. "I pay good money for a secure Web site."

Brader-Araje maintains that OpenSite frequently informs its customers of security problems--when it knows about them--stressing that his company "takes this matter very seriously." His company, in fact, set up Wahrer's site but could not set the passwords.

Instead, he said, he sent directions to the Williams Gallery server administrator instructing how to protect passwords. The company hosting the site said it had not been contacted and lay the blame with OpenSite. It remains unclear who was at fault.

In his defense, Brader-Araje said a software company can do only so much. "The bottom line is if a 12-year-old wants to go out there and buy an e-commerce operation, they can," he said. "But that doesn't mean it's going to be a secure site."

Forrester analyst Julian said he understands that perspective: Software is only as good as those who use it. "It's like selling someone a rocket launcher," he said. "It can do interesting and powerful things in the right hands; it can be dangerous in the wrong hands."

Kennedy, on the other hand, said OpenSite should have been well aware of the potential pitfalls among its customers because the company markets specifically to smaller businesses, which generally have limited Net experience.

He worries further that events like this could have a chilling effect on an industry that has been greeted with public suspicion from its inception. "You cannot have electronic commerce on the World Wide Web or the Internet if things like that are routinely possible," Kennedy said.

Industry analysts say most sites--especially the larger ones--are safe. But even small incidents can devastate an industry in its infancy.

The bottom line is that it's no more possible to have foolproof Internet site than it is to have an unbreakable real-life storefront. As with offline commerce, users should check into sites as thoroughly as possible before sending them any sensitive information, let alone their money.

Security "is a balancing act between access and safety," Julian said. "If you want total security, don't connect it to anything. The more anything is connected and the more readily it's available, then the less secure it is."