As reports come to light of security breaches exposing customer
order data on dozens of e-commerce sites, software programmers and computer technicians are scrambling to tell customers how to solve the problems.
But despite their efforts, some sites are still exposing customer names, addresses, and credit card numbers. This afternoon, CNET News.com found seven sites whose order logs were still exposed.
Joe Harris, a computer technician in Bellevue, Washington, discovered the breaches last week on some 130 e-commerce Web sites. The problems stem from sites that place unencrypted order logs in publicly accessible directories. Sites can close the breach by encrypting the logs, placing the logs in password-protected directories, or both.
Software vendors say Web designers and Web host are to blame for the breaches, even though many took steps Thursday to help their customers close their security holes.
More than 100 of the sites found to have the security breach were using Extropia's WebStore software. Extropia
president Eric Tachibana posted a note today on the company's homepage warning WebStore users about the problem.
Tachibana, who is also know by his programming name Selena Sol, said he
planned to follow that up by sending email to Extropia's mailing list
describing the breach and detailing several fixes to the problem. He said
he also planned to track down Web sites with the breach and send them the
"I figure that NONE of the bad store admins will contact me about it,
because if they were the kind of people who would contact me, they
would be the kind of people who would have done it right," Tachibana wrote
in an email.
Tachibana said there are "several thousand" copies of WebStore installed on
Harris found more than 15 Web sites using Merchant OrderForm
with security breaches. Russell Alexander, who wrote the program, said he
planned to send a notice about the problem and a fix to his 300-400
registered users this weekend.
Although Merchant OrderForm does not have encryption built into it,
Alexander said the program includes instructions on how to secure the order
logs. He said that normally the logs are turned off, meaning that no customer
data is collected in the order file.
"The best thing to do is to just not turn on the log files," Alexander said.
While Tachibana and Alexander were simply notifying users of the problem
and providing fixes, Rick Hoelle spent 20 hours writing an update to his
company's QuikStore program.
Although Harris said he only found three breaches in the QuikStore
software, he called it "one of the most dangerous of the lot."
According to Harris, the QuikStore installations exposed a configuration
file from which Web users could find the system administrator's user name
and password. That information could then be used to hack the site, not
only allowing users to view sensitive files, but to change and delete them
Hoelle said he had already sent QuikStore's registered users an update that
would encrypt the user names and passwords. He said a subsequent update
would also encrypt log files. Saying that he had already posted information
about the breach on a company bulletin board, Hoelle added that planned to
update the program's documentation as well.
"We know that we have a responsibility to fix this for our customers and
their customers," Hoelle said.
Harris, who discovered the problem last week, sent out an
initial message concerning the breaches on the Bugtraq listserv on Monday.
Harris, a computer technician at Blarg
Online Services in Bellevue, Washington, followed that up with a more
detailed message to the list on Tuesday, documenting the programs affected,
the number of sites using those programs that had breaches, and the files
Harris said he wanted to alert as many Web hosts and software vendors as
possible about the problem so that he wouldn't happen again. Harris said he
was not surprised how the vendors have reacted.
"The last thing that people want to do is kill the golden goose that is
e-commerce," Harris said.