By using the tool, as well as a specially formatted Web address that takes advantage of a second flaw in server software, anyone can get the usernames and passwords for every account, including the administrator's, on sites using IBM's Net.Commerce and WebSphere Commerce Suite software.
"Once you got the username and the decrypted password, you can log in at the site," the two hackers, identified only as "xor37h" and "darkman," wrote in instructions that accompanied the hacking tool.
A quick search of the Web by CNET News.com found almost a dozen Web sites that are vulnerable to the one-two security punch, including three university stores, two online jewelry sites, a shoe store, a bicycle manufacturer, a home-appliance maker and a bookstore. In their online description of the tool, the two hackers reported that their search of the Web revealed more than 300 vulnerable sites.
IBM confirmed the flaw in a posting Thursday to the Bugtraq security mailing list, and it asked customers using its older servers to use existing patches to fix the problems.
This "could expose some Web sites that have not taken preventative action," Ed Kilroy, general manager of IBM's Electronic Commerce group, said in a statement to customers.
The flaws affect Version 4.1 of IBM's WebSphere Commerce Suite and version 3.2 of Net.Commerce, Kilroy said in the statement. Users of the latest version of IBM's WebSphere server software are protected, as are people who have installed the fixes recommended by IBM last month.
To break into a site, an online thief would first use a specially formatted Web address, or URL, that executes unsecured macros on the Web commerce server. The macro flaw, discovered by Rudi Carell and posted to the Bugtraq mailing list last month, causes the software to list every account on the system and the encrypted passwords.
IBM had previously identified the problem with the software's macros in February 1999 and recommended a workaround at the time.
Xor37h and darkman found that most servers use a fixed key to encrypt the password, making it easy to decrypt them. While a feature on IBM's servers allows the site's administrator to change the key, most administrators have not, they said in their online statement.
The hacker duo asked others not to exploit the flaws. Doing so "is anything but legal and we strong advice (sic) people not to use the application illegally," they said.
Their site detailing the flaw and providing the tool appeared to be unavailable on Thursday.