from: http://www.wired.com/news/politics/0,1283,35954,00.html Click Here: <A HREF="http://www.wired.com/news/politics/0,1283,35954,00.html"> Backdoor Exposes Credit Cards</A> ----- Backdoor Exposes Credit Cards by Declan McCullagh 8:00 a.m. Apr. 27, 2000 PDT (Editor's note: This story has been modified since its initial posting. The original publication of this story included the password in question.) Thousands of credit card numbers stored on e-commerce websites are available to anyone with a backdoor password, a British consulting firm has discovered. Cerberus Information Security said on Thursday it found a secret password that allows someone connecting to a website running "Cart32" shopping cart software to gain access to the server. Corner Store - - - - - - - - Editorial policy P O L I T I C S Today's Headlines 3:00 a.m. Apr. 28, 2000 PDT SDMI: Shape Up or Ship Out Northwest's Plans vs. Cybercrime Content In Australia, Sort Of Tech's Janitors Rally for Wages Wazzup? Not Eli�n Web Parody Backdoor Exposes Credit Cards Pols Argue Over Stem Cells MS Rivals Consolidate Lawsuits Intel Nixes Chip-Tracking ID Library of Congress Gets Hip Advocacy Group Bears Watching Grim Net Censorship Report Pigpile on Microsoft MS Woes Drag Down Rivals Anonymity Threatened in Europe Consumers Blast AOL Merger Pumper 'n' Dumper Charged Ballmer: MS Can Avoid Breakup White House on MS: Hands Off A South African AIDS Catch-22 U.S. to South Africa: Just Say No Syria Gets Serious About the Net French Pols Say, 'Open It Up' AOL Founder: Censor the Net? Ha! Feds Try Odd Anti-Porn Approach Bradley List Fuels Political Spam Microsoft Decision Coming Early? Like Mafia Son, Like Mafia Dad So, Judge, What's the Call? Debate Flares Over Windows 'Spy Key' Locking Windows' Backdoor Read more Technology news There's no biz like E-Biz McMurtrey-Whitaker, the Springfield, Missouri firm that sells Cart32, confirmed the backdoor -- which can reveal such data as credit card numbers, order information, and shipping addresses -- and said they would distribute a repaired version of the program next week. Hundreds of small-to-medium websites, including Jazzworld.com, MusicWorld CD, ComputerShop.com, Wirelesstoys.com, and ChocolateVault.com, use Cart32 shopping software, which runs on Windows 95 and Windows NT machines. "We've been notified of it," said Matt Humes, a technical support representative at McMurtrey-Whitaker. Right now, Cart32 administrators can edit the executable file and manually delete the password to close the security hole. "By Monday [or] Tuesday, there's going to be a much easier fix to make everything completely secure," Humes said. Larger firms like Amazon and CDNow tend to use custom shopping cart software. Smaller ones turn to programs like Cart32, or competitors like WebGenie Software's shopping cart, Open Market's ShopSite, or Mercantec's SoftCart. The Cart32 password could have been inserted by a malicious McMurtrey-Whitaker employee who hoped to steal credit card numbers, or the firm could intentionally have enabled it so their technical support staff could fix customers' problems from afar. McMurtrey-Whitaker said that the vulnerability was included in earlier versions of Cart32, which means that anyone who knew the password could have had access to sites' personal information for at least a year. Cerberus' David Litchfield said he stumbled across Cart32 after seeing a banner ad for the product, and decided to explore its potential vulnerabilities on Wednesday evening. "My brother and I spent about two hours looking at it (before we discovered the backdoor)," Litchfield said. "I'm extremely surprised that it's in there." Litchfield said his eight-person security consulting firm has released eight security advisories this year, and they decided to publish the password because of the magnitude of the problem. To gain access to customer files, an attacker could use the password to alter the shopping cart to leak information when users connect to the site. Cerberus said it also discovered a way to change Cart32's administrative password without knowing what the original one was. Litchfield also found some odd information about the program's designers embedded in the 700KB cart32.exe file. One example: "My Name / Bryan L. Whitaker / My Wifes Name / Melissa K.Whitaker and Kaylee (our baby)." One expert criticized the company's planned bug fix as unduly tardy. "If they're waiting until Tuesday or Wednesday to fix this problem, that's definitely a bad idea. It doesn't take a genius to figure out what's going to happen all weekend," said Steve Manzuik, the moderator of Win2K Security Advice, referring to malicious hacker attacks. Have a comment on this article? Send it. Printing? Use this version. Email this to a friend. Related Wired Links: Smart Methods to Spot Fraud Apr. 3, 2000 CCs Stolen From RealNames? Feb. 11, 2000 Crack Exposes Holes in the Web Jan. 11, 2000 Feedback | Help | About Us | Jobs Editorial Policy | Advertise | Privacy Statement ----- Aloha, He'Ping, Om, Shalom, Salaam. Em Hotep, Peace Be, All My Relations. Omnia Bona Bonis, Adieu, Adios, Aloha. Amen. Roads End <A HREF="http://www.ctrl.org/">www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance�not soap-boxing�please! These are sordid matters and 'conspiracy theory'�with its many half-truths, misdirections and outright frauds�is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html <A HREF="http://home.ease.lsoft.com/archives/ctrl.html">Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
