Major security flaws in two Web sites allowed CNET to gain access to databases and obtain credit card and other sensitive information, providing hard evidence that such breaches are not confined to theory or laboratory research.
In the case of the first Web site, BookSite, CNET was able to obtain credit card information, phone numbers, and other customer data. Another site, for Upside magazine,
contained less sensitive information, but CNET was able to gain access to the magazine's private mailing list. The sites were notified this afternoon of the security problems and have fixed them.
Both BookSite and Upside use database software called Texis from Thunderstone, although officials of that company and security analysts said breaches could have occurred on sites using databases from other companies. The company lays the responsibility at the doorstep of Webmasters who, they warn, must be vigilant about security details when setting up their sites.
The security holes were plugged easily once the sites knew they existed. However, the problems underscored the ease with which systems thought to be secure can be penetrated, despite often-repeated claims by companies and software manufacturers that such breaches are rare and reported only by researchers and engineers.
The security holes found at the two Web sites allowed CNET to display private information by entering database queries directly from Web browsers, although the information should be available only from inside the company's firewall. The security problems on both sites were the result of improperly configured databases that granted access to anonymous users, rather than strictly limiting access to authorized users of the Web servers.
But as many skeptical online consumers or information system managers will say, the problems are certain to go far beyond these two sites.
"It's just part of working with a database. Every SQL database out there has specific grants and revokes," said Bart Richards, CEO of Thunderstone. "The alternative is that we could ship Texis with locked permissions. You wouldn't believe the number of phone calls we would get from people who say they can't connect to their server."
Net security experts concurred that security problems can easily affect Web sites using other databases, but that problems like these can be easily avoided.
"All of these database products ship in a very poor state
security-wise," said John Pescatore, senior consultant for Trusted Information Systems. "But there are some standard Web guidelines to prevent this."
These kinds of security holes related to the use of back-end databases point to a growing problem for Web sites that accept private information over the Net. "I wouldn't say it's widespread but it's growing," said Dave Kennedy, the lead information security analyst at the National Computer Security Association. "In general, Webmasters have to be very scrupulous in services they provide through their Web servers."
Although most users would not notice the security hole, a user familiar with SQL, the standard language for creating database queries, could detect the problem by analyzing the HTML coding on a Web page.