Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Online Shops Expose Customer Order Data

Online Shops Expose Customer Order Data

by phiber on June 20th, 2001 Several small online shops are exposing their customer order data, including credit card numbers, because of improperly installed online shopping cart software.
Hundreds of unencrypted customer records were viewable Tuesday by anyone with a Web browser at a candle-making supply store, a computer seller, a music shop and a photographer's gallery, Newsbytes has confirmed.
The exposed sites are all running a free online shopping cart program called DCShop, from Boston-based DC Business Solutions.


On June 13, DCBS posted an advisory at its site warning DCShop operators of the security issue. The advisory states that if the program is improperly installed in a directory that allows the viewing of text files, unauthorized Internet users will be able to retrieve order data recorded by the shopping cart software. That data includes names, mailing addresses, e-mails and credit card numbers with expiration dates.



Although it was first released in 1998, DCShop is still a test or "beta" version, according to David S. Choi, owner of DC Business Solutions. A message at the DCBS site warns that the software is not recommended for commercial deployment.



Choi reported that the company does not intend to issue a patch, since it considers the problem to be a Web-server configuration issue and not a vulnerability in DCShop.



"Unfortunately there are a lot of servers out there that allow the CGI directory contents to be viewed by outsiders, which is very unsafe. No one should be leaving credit card information or anything personal on the server anyway," said Choi.



Thousands of copies of DCShop have been downloaded from the company's site, and the program, which is written in the Perl scripting language, is also available for download from numerous external sites that offer free scripts, according to Choi.



Greg Shipley, director of security consulting services with Neohapsis, Inc. in Chicago, said e-commerce sites should resist the temptation to use test versions of software, even if it is free.



"The accountability begins there. Who would roll out beta code into a production service? Especially if you're putting your customer records out onto the Net, you need to do a security audit," said Shipley.

The DCShop security advisory is available here.


By Brian McWilliams, Special to Newsbytes.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »