TheRegister has a great story about Argos using receipt emails that have HTML embedded in them that contains parameters including full unencrypted card number, CVV code, expiry date, name as printed on the card and address. Clearly a massive breach.
However, it gets more interesting when you look at one of these emails, Chris Geek Guy has copied one to his blog. Whilst it is clear that Argos have copied lots of personal data to the HTML email, I think there are bigger problems. The data is embedded in a GET html link. To me, this shouts out XSS and CSRF risk and also, if you look at the link, this data would always be sent across the internet in the clear - usually being cached as it travels through the internet - if the user did in fact click on the link in the email.
Potential targets for exploitation (and I haven't tried) would be: includeName, the com.ibm.commerce.context.experiment.ExperimentContext which looks like it is directly referencing an object (!!!) outside the context of the system. It would also be worth exploring what this link actually does and whether manipulating the receipt and performing a replay attack changes anything on the Argos server.
Monday 8 March 2010
Subscribe to:
Posts (Atom)
