ZDNet UK / News and Analysis / Security / Security Management

Online florist divulges customer details

By Robert Lemos, ZDNet US, 14 February, 2003 14:50

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Fusion, Privacy, Customer, reveal, ftd, florist, Quakenbush, Gerald, Cookie, flowers, Malicious, Online, Security

NEWS
A security flaw at FTD.com left private information open to harvesting this week, one of the busiest of the year for the online florist. The flaw allowed a person to use a modified "cookie" to easily access customer information from the company's servers, said Gerald Quakenbush, an information security analyst for Internet and e-business consulting service Fusion Alliance. Cookies are snippets of data that reside on a person's computer, linking that PC to information and personalised sites on the Web. "You can steal any customer's information from the site," Quakenbush said in an interview with CNET News.com on Thursday, the eve of Valentine's Day. The security problem exposed customer billing records, including name, address and phone number, by changing a simple number, he added. A specific customer couldn't be targeted by name, only randomly by changing numbers in an FTD.com cookie. FTD.com confirmed the problem late on Thursday. "We have identified that a hacker could maliciously and illegally access some levels of the site," said Dan Smith, executive vice president of FTD.com. Quakenbush said credit card numbers were being exposed as of Wednesday, but Smith denied that, describing the leaked data as "contact information." "We have no verification at all that credit card numbers may have been stolen," Smith said, adding that the hole had been fixed. Quakenbush discovered the flaw on Tuesday, when a co-worker attempting to order flowers from FTD.com found another person's information appearing in his browser. Quakenbush found that separate computers could access customer data just by copying the cookie data from one PC to the other. Moreover, the identifiers used by FTD.com's e-commerce system were seemingly sequential, not random, making it easier to guess the numbers of other valid cookies, he said. A combination of predictable identifiers for customer transactions and the site's allowance for nonencrypted transactions could allow anyone to guess valid identifiers for previous customer transactions and, as a result, view customer and credit card information, he explained. The security researcher sent an advisory to security mailing list NTBugTraq on Wednesday to warn customers of the danger. The advisory was subsequently posted, making the information public. "The session logic is about as simple as a session logic can get -- they use an integer to track unique visitors, and the integer is simply incremented from one user to another," he wrote in the advisory. "To retrieve someone else's confidential information...one only needs to transmit a simple request and vary a cookie value in order to read client data." Most people who have used the Web could do the attack. "Anyone who has read 'HTML for Dummies' has the prerequisites for this attack," Quakenbush said. As of Thursday afternoon, a least one other researcher had confirmed that customer data including names, addresses and phone numbers -- but not credit card information -- could be accessed. David Dittrich, senior security engineer for the University of Washington, confirmed that customer information could easily be mined from the site. In doing the research, he accessed only his own records and those that Quakenbush had entered. Both researchers theorised that FTD.com had implemented a workaround to disallow easy access to the credit card numbers. FTD.com's Smith did not acknowledge that the company had put any countermeasures in place, adding, "We know for a fact that the credit card information isn't obtainable." When asked if the credit card information was vulnerable on Wednesday, Smith answered, "Not to my knowledge." The University of Washington's Dittrich said that even if the company had exposed just personal information that could still be dangerous. "The fact that they are giving some customer information out by simply knowing a value is still a problem," he said. "Because I could get a transaction that (someone) did days ago, means that a competitor could data-mine the site." And a scam artist armed "with that much information would be nasty," he added. FTD.com's e-commerce system was created by Canadian company Novator Systems, although FTD.com may have altered the system. Mark Fox, chief executive of Novator, wouldn't comment on the FTD.com issues, but he said other clients would not be affected and referred all questions to FTD.com.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Let the editors know what you think in the Mailroom.

Related stories

Web firms 'must learn from cookie close shave'

Inland Revenue to take measures against tax record snooping

Spyware hits one-third of European businesses

Data leaks cost Midlothian a record £140k fine

Google-backed DMARC system aims to block phishers

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

10 minutes ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

15 minutes ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

60 minutes ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

1 hour ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

2 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

2 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

2 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

5 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

6 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

6 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

7 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

8 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule
Marcus Karlsson

Any update on this, considering the claimed "first week of February"?

10 hours ago by Marcus Karlsson via Facebook on Archos confirms G9 Ice Cream Sandwich update schedule
apexwm

Bill Goodrich : Just as al_langevin pointed out, with Windows Server 2008 there is no Services for Macintosh anymore. It's gone, not available....

18 hours ago by apexwm on Windows Server 2008 drops the ball for Mac compatibility
txtrainguy

Replying to an old topic that I'm currently facing with my CEO (who is on a Mac). Our servers are primarily Windows Servers, office is about...

1 day ago by txtrainguy on Windows Server 2008 drops the ball for Mac compatibility
k0tcs3

Sure, that makes perfect sense. Pay wrong-doers money and thank them for breaching your security and pointing out your flaws, that would surely...

1 day ago by k0tcs3 on US indicts Romanian over NASA climate change hack
Random_Error

I think he's referring specifically to Android apps, as Apple do regulate their App Store, but Google seem to let any old crap onto the Android store!

1 day ago by Random_Error on RIM: BlackBerry will keep 'garbage' apps out of store
Paul Fezziwig

Keep the crap apps out?! How will they compete with Android and Apple's claim to fame of having so many life changing apps? I wonder if the media...

1 day ago by Paul Fezziwig via Facebook on RIM: BlackBerry will keep 'garbage' apps out of store
Aigars Mahinovs

It has been shown time after time that if there is an author store that sells the songs at even 1$ per song and gives you a high-quality digital...

1 day ago by Aigars Mahinovs via Facebook on Copyright isn't working, says European Commission
awbMaven

""As a result of Butyka's alleged conduct, researchers were unable to use the computers for more than two months while NASA removed the malicious...

1 day ago by awbMaven on US indicts Romanian over NASA climate change hack

Latest in Security Management

Data leaks cost Midlothian a record £140k fine

Google-backed DMARC system aims to block phishers

Ten ways to take the sting out of IT disasters

Featured white papers

2012 Olympics: Is your business prepared?

Symantec.cloud

2012 Olympics: Is your business prepared?

The Olympics are coming to London, and this factsheet can help businesses to get ready for the... Read more

10 safety tips for business in 2012

Symantec.cloud

10 safety tips for business in 2012

From cloud computing to remote working, your business should consider these ways to keep your business secure as traditional IT... Read more

Keeping safe from organised cybercrime

Symantec.cloud

Keeping safe from organised cybercrime

As cyber-criminals become increasingly coordinated in their cross-medium attacks, a solid, communicating and... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

Case study: How cloud enables growth

Case study: How cloud enables growth

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault