HQ for Exposed Credit Numbers
By Michelle Delio
June 18, 2001

Link(active as of 10/22/06): http://www.wired.com/news/ebiz/0,1272,44613,00.html



Consumers who refuse to make online purchases for security concerns
have another story to reinforce their fears.

This one involves computer goods site ComputerHQ.com, where a small
mistake in a JavaScript code exposed the credit card numbers and other
personal information of thousands of its customers -- perhaps for as
long as a year.

The programmer who discovered the problem was using a URL the company
included on his invoice when he went to check an order of his own --
and has spent the past few days unsuccessfully trying to get the
company to acknowledge and then fix the hole.

The site was up and down throughout the weekend, but each time it
reappeared, it had the same hole, exposing more than 15,000
transactions.

"This is madness," said Keith Little, a self-employed computer
consultant, who discovered the hole. "The stupidity of this is beyond
belief. Well, OK, I've been around a while. It's not quite beyond
belief."

The security hole was exploitable only if the customer records were
viewed with a browser that had JavaScript disabled. But the URL that
allowed anyone access to the company's customer records is printed on
the bottom of every ComputerHQ invoice.

Little contacted ComputerHQ representatives about the problem on
Saturday and Sunday, and explained that a few simple fixes would
protect the data.

He said each time he spoke with someone at ComputerHQ, the site was
immediately taken offline, only to return a few hours later with the
security hole still intact.

When he noticed that the site was up and running yet again on Monday,
and the data was still exposed, Little was furious.

Wired News' efforts to contact ComputerHQ officials proved fruitless.

[snip..]