lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: eric at arcticbears.com (Eric Paynter) Subject: Chapters/Indigo Website Personal Information Leak Seven months after initial contact, but only two days after posting on FD, Chapters/Indigo has fixed the problems documented below. One more website is a little safer thanks to FD. Thanks also go to list member Terry Erickson for assisting with the escalation process. Knowing who to forward the email to is invaluable, and I knew that posting on FD would find somebody who could get the disclosure into the right hands. -Eric On Wed, July 7, 2004 3:26 pm, Eric Paynter said: > I. SUMMARY > > The Chapters/Indigo website (http://www.chapters.indigo.ca/) is vulnerable > to user name guessing at the login screen and personal information leaks > (name and address) in the Wish List function. > > > II. BACKGROUND > > Chapters/Indigo is the largest book vendor in Canada, having over C$800M > in annual revenue in the 12 months ending April, 2004. The > www.chapters.indigo.ca website offers books, CDs, DVDs, videos, and a > variety of gifts and jewelry for sale over the Internet. > > > III. IMPACT > > Determining a matching username and password is very difficult. However, > guessing one or the other on its own is several orders of magnitude > easier. The system is nice enough to allow an attacker to work first at > getting user names, and them to attempt to guess passwords for the valid > names. Once a valid combination is found, the attacker has full access to > the user's account and can order items, have them shipped to alternate > overseas addreasses, steal credit card information, etc.. > > A wish list is keyed to an email address. If an attacker knows a user's > email address, they can use the wish list to determine the user's full > name and address. There is no warning that the website will give out this > information to arbitrary third parties. As a matter of fact, when the user > enters their personal information, they are repeatedly assured that their > personal information will be secure. > > > III. VENDOR NOTIFICATION > > Chapters/Indigo was originally notified in November, 2003. There was some > discussion via email in an attempt to convince them that this was not > simply a user error. After several exchanges, they still would not > acknowledge that there was a problem, but they did indicate that > management had been informed of the situation and that the website would > be updated to be more "user friendly". > > As of July 6, 2004, the problems still exist. > > > IV. SAMPLE EXPLOITS > > 1. User Name Leak in Login Screen > > User names at www.chapters.indigo.ca are based on email addresses. At the > login page, by typing in a valid email address and invalid password, the > error "the password entered is not correct" is displayed. If an invalid > email address and some random (non-blank) password in entered, the error > "the e-mail address provided cannot be found" is displayed. > > 2. Personal Information Leak it Wish List Function > > Equiped with a list of valid user names, an attacker may be able to obtain > additional personal information about users. If a user has created a Wish > List, then anybody can view it, simply by entering the user's email > address. The wish list not only displays the user's list of desired > products, it also allows anybody to purchase those products for the user. > If an item is selected from the Wish List and then the attacker proceeds > to "check out", the website will display the user's full name and address > as confirmation of the destination for shipping. This is *not* the name > and address from the attacker's profile. This is the name and address of > the Wish List owner, which was obtained simply by knowing the user's email > address. > > > V. WORKAROUNDS > > 1. User Name Leak in Login Screen > > Find a new online retailer for your books etc.. > > 2. Personal Information Leak it Wish List Function > > Remove the shipping address from the wish list. This can be done by > following the "manage wish list" link. The default is to present the > user's last used shipping information, but this can be overridden to be > any arbitrary address, including null. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists