[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <54833.207.81.153.6.1089435986.squirrel@207.81.153.6>
From: eric at arcticbears.com (Eric Paynter)
Subject: Chapters/Indigo Website Personal Information
Leak
Seven months after initial contact, but only two days after posting on FD,
Chapters/Indigo has fixed the problems documented below. One more website
is a little safer thanks to FD.
Thanks also go to list member Terry Erickson for assisting with the
escalation process. Knowing who to forward the email to is invaluable, and
I knew that posting on FD would find somebody who could get the disclosure
into the right hands.
-Eric
On Wed, July 7, 2004 3:26 pm, Eric Paynter said:
> I. SUMMARY
>
> The Chapters/Indigo website (http://www.chapters.indigo.ca/) is vulnerable
> to user name guessing at the login screen and personal information leaks
> (name and address) in the Wish List function.
>
>
> II. BACKGROUND
>
> Chapters/Indigo is the largest book vendor in Canada, having over C$800M
> in annual revenue in the 12 months ending April, 2004. The
> www.chapters.indigo.ca website offers books, CDs, DVDs, videos, and a
> variety of gifts and jewelry for sale over the Internet.
>
>
> III. IMPACT
>
> Determining a matching username and password is very difficult. However,
> guessing one or the other on its own is several orders of magnitude
> easier. The system is nice enough to allow an attacker to work first at
> getting user names, and them to attempt to guess passwords for the valid
> names. Once a valid combination is found, the attacker has full access to
> the user's account and can order items, have them shipped to alternate
> overseas addreasses, steal credit card information, etc..
>
> A wish list is keyed to an email address. If an attacker knows a user's
> email address, they can use the wish list to determine the user's full
> name and address. There is no warning that the website will give out this
> information to arbitrary third parties. As a matter of fact, when the user
> enters their personal information, they are repeatedly assured that their
> personal information will be secure.
>
>
> III. VENDOR NOTIFICATION
>
> Chapters/Indigo was originally notified in November, 2003. There was some
> discussion via email in an attempt to convince them that this was not
> simply a user error. After several exchanges, they still would not
> acknowledge that there was a problem, but they did indicate that
> management had been informed of the situation and that the website would
> be updated to be more "user friendly".
>
> As of July 6, 2004, the problems still exist.
>
>
> IV. SAMPLE EXPLOITS
>
> 1. User Name Leak in Login Screen
>
> User names at www.chapters.indigo.ca are based on email addresses. At the
> login page, by typing in a valid email address and invalid password, the
> error "the password entered is not correct" is displayed. If an invalid
> email address and some random (non-blank) password in entered, the error
> "the e-mail address provided cannot be found" is displayed.
>
> 2. Personal Information Leak it Wish List Function
>
> Equiped with a list of valid user names, an attacker may be able to obtain
> additional personal information about users. If a user has created a Wish
> List, then anybody can view it, simply by entering the user's email
> address. The wish list not only displays the user's list of desired
> products, it also allows anybody to purchase those products for the user.
> If an item is selected from the Wish List and then the attacker proceeds
> to "check out", the website will display the user's full name and address
> as confirmation of the destination for shipping. This is *not* the name
> and address from the attacker's profile. This is the name and address of
> the Wish List owner, which was obtained simply by knowing the user's email
> address.
>
>
> V. WORKAROUNDS
>
> 1. User Name Leak in Login Screen
>
> Find a new online retailer for your books etc..
>
> 2. Personal Information Leak it Wish List Function
>
> Remove the shipping address from the wish list. This can be done by
> following the "manage wish list" link. The default is to present the
> user's last used shipping information, but this can be overridden to be
> any arbitrary address, including null.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists