E-tailers scramble to fix security holes

Some e-commerce sites still have their order logs--containing customers' personal information--on publicly accessible pages.

3 min read
As reports come to light of security breaches exposing customer order data on dozens of e-commerce sites, software programmers and computer technicians are scrambling to tell customers how to solve the problems.

But despite their efforts, some sites are still exposing customer names, addresses, and credit card numbers. This afternoon, CNET News.com found seven sites whose order logs were still exposed.

Joe Harris, a computer technician in Bellevue, Washington, discovered the breaches last week on some 130 e-commerce Web sites. The problems stem from sites that place unencrypted order logs in publicly accessible directories. Sites can close the breach by encrypting the logs, placing the logs in password-protected directories, or both.

Software vendors say Web designers and Web host are to blame for the breaches, even though many took steps Thursday to help their customers close their security holes.

More than 100 of the sites found to have the security breach were using Extropia's WebStore software. Extropia president Eric Tachibana posted a note today on the company's homepage warning WebStore users about the problem.

Tachibana, who is also know by his programming name Selena Sol, said he planned to follow that up by sending email to Extropia's mailing list describing the breach and detailing several fixes to the problem. He said he also planned to track down Web sites with the breach and send them the same information.

"I figure that NONE of the bad store admins will contact me about it, because if they were the kind of people who would contact me, they would be the kind of people who would have done it right," Tachibana wrote in an email.

Tachibana said there are "several thousand" copies of WebStore installed on the Web.

Harris found more than 15 Web sites using Merchant OrderForm with security breaches. Russell Alexander, who wrote the program, said he planned to send a notice about the problem and a fix to his 300-400 registered users this weekend.

Although Merchant OrderForm does not have encryption built into it, Alexander said the program includes instructions on how to secure the order logs. He said that normally the logs are turned off, meaning that no customer data is collected in the order file.

"The best thing to do is to just not turn on the log files," Alexander said.

While Tachibana and Alexander were simply notifying users of the problem and providing fixes, Rick Hoelle spent 20 hours writing an update to his company's QuikStore program. Although Harris said he only found three breaches in the QuikStore software, he called it "one of the most dangerous of the lot."

According to Harris, the QuikStore installations exposed a configuration file from which Web users could find the system administrator's user name and password. That information could then be used to hack the site, not only allowing users to view sensitive files, but to change and delete them as well.

Hoelle said he had already sent QuikStore's registered users an update that would encrypt the user names and passwords. He said a subsequent update would also encrypt log files. Saying that he had already posted information about the breach on a company bulletin board, Hoelle added that planned to update the program's documentation as well.

"We know that we have a responsibility to fix this for our customers and their customers," Hoelle said.

Harris, who discovered the problem last week, sent out an initial message concerning the breaches on the Bugtraq listserv on Monday. Harris, a computer technician at Blarg Online Services in Bellevue, Washington, followed that up with a more detailed message to the list on Tuesday, documenting the programs affected, the number of sites using those programs that had breaches, and the files exposed.

Harris said he wanted to alert as many Web hosts and software vendors as possible about the problem so that he wouldn't happen again. Harris said he was not surprised how the vendors have reacted.

"The last thing that people want to do is kill the golden goose that is e-commerce," Harris said.