Sometimes, some stuff should just stay private...

Thursday, April 01, 2010

Jason Remillard


Cross Posted from:

As reported in the past few days, a site selling  Durex condoms have had a small 'exposure' problem.  As reported, the site had been suffering (time length unknown) from several basic security exposures, including even allowing orders to be viewed online, without a login - simply by changing the order number!

I know that this is a 'simple' mistake, but come on folks..  This isn't 1998 where you wrote apps in MS-access and wrapped a report around it!  This is (was?) a fully fledged shopping system, with um...confidential information regarding previous orders (hmmm.....size...color...flavors???)

According to the lawsuit, the company took quick action to pinch off the problem, but who knows how long the problem was exposed?  What is more interesting to me, is that this problem was found by an unsophisticated user.  I mean, he wasn't a cracker, malware engineer or depth-defying trojan writer.  He was a customer that said, "Hmm... I wonder"....  Perhaps we can all take a lesson from this scenario and consider thinking not just outside of the box with security, but also using I suppose accidental techniques to test services and applications.  I'm sure my tester friends have a technical term for this, but it just goes to show that sometimes 'what if' is a testing parameter.

Usually conversations in this context deal with adult-content oriented websites - those are usually the first and most often attacked.  Considering this case, things are a little different but no less important - the last thing you want is your customer information all piled up in someone else's control. 

On a better note, our facebook group seems to be cooking now, over 170 fans now.  Even better, our WordPress Security Plugin is getting great play - over 500 Installs now!
Possibly Related Articles:
Breaches Webappsec->General
Hacks breaches Privacy
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.