FTD.com hole leaks personal information

The flaw allowed a person to use a modified "cookie" to easily access customer information from the company's servers, said Gerald Quakenbush, an information security analyst for Internet and e-business consulting service Fusion Alliance. Cookies are snippets of data that reside on a person's computer, linking that PC to information and personalized sites on the Web.

"You can steal any customer's information from the site," Quakenbush said in an interview with CNET News.com on Thursday, the eve of Valentine's Day. The security problem exposed customer billing records, including name, address and phone number, by changing a simple number, he added. A specific customer couldn't be targeted by name, only randomly by changing numbers in an FTD.com cookie.

FTD.com confirmed the problem late Thursday.

"We have identified that a hacker could maliciously and illegally access some levels of the site," said Dan Smith, executive vice president of FTD.com.

Quakenbush said credit card numbers were being exposed as of Wednesday, but Smith denied that, describing the leaked data as "contact information."

"We have no verification at all that credit card numbers may have been stolen," Smith said, adding that the hole had been fixed.

Quakenbush discovered the flaw on Tuesday, when a co-worker attempting to order flowers from FTD.com found another person's information appearing in his browser. Quakenbush found that separate computers could access customer data just by copying the cookie data from one PC to the other. Moreover, the identifiers used by FTD.com's e-commerce system were seemingly sequential, not random, making it easier to guess the numbers of other valid cookies, he said.

A combination of predictable identifiers for customer transactions and the site's allowance for nonencrypted transactions could allow anyone to guess valid identifiers for previous customer transactions and, as a result, view customer and credit card information, he explained.

The security researcher sent an advisory to security mailing list NTBugTraq on Wednesday to warn customers of the danger. The advisory was subsequently posted, making the information public.

"The session logic is about as simple as a session logic can get--they use an integer to track unique visitors, and the integer is simply incremented from one user to another," he wrote in the advisory. "To retrieve someone else's confidential information...one only needs to transmit a simple request and vary a cookie value in order to read client data."

Most people who have used the Web could do the attack. "Anyone who has read 'HTML for Dummies' has the prerequisites for this attack," Quakenbush said.

As of Thursday afternoon, a least one other researcher had confirmed that customer data including names, addresses and phone numbers--but not credit card information--could be accessed. David Dittrich, senior security engineer for the University of Washington, confirmed that customer information could easily be mined from the site. In doing the research, he accessed only his own records and those that Quakenbush had entered.

Both researchers theorized that FTD.com had implemented a workaround to disallow easy access to the credit card numbers.

FTD.com's Smith did not acknowledge that the company had put any countermeasures in place, adding, "We know for a fact that the credit card information isn't obtainable." When asked if the credit card information was vulnerable on Wednesday, Smith answered, "Not to my knowledge."

The University of Washington's Dittrich said that even if the company had exposed just personal information that could still be dangerous.

"The fact that they are giving some customer information out by simply knowing a value is still a problem," he said. "Because I could get a transaction that (someone) did days ago, means that a competitor could data-mine the site."

And a scam artist armed "with that much information would be nasty," he added.

FTD.com's e-commerce system was created by Canadian company Novator Systems, although FTD.com may have altered the system.

Mark Fox, chief executive of Novator, wouldn't comment on the FTD.com issues, but he said other clients would not be affected and referred all questions to FTD.com.