***Resolved- security issue with one of the shops we frequent

Williams 728
Homebrew Talk - Beer, Wine, Mead, & Cider Brewing Discussion Forum

Help Support Homebrew Talk - Beer, Wine, Mead, & Cider Brewing Discussion Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
S

stevea1210

Well-Known Member
Joined
Mar 15, 2008
Messages
739
Reaction score
2
Location
Lancaster, PA
****update 2/9/09*****

The issue with the site has been corrected. Please see this post for more info.

thanks,
Steve




I have discovered a security issue with a website that I'm sure many of us have bought items from. I am not at this time going to mention the name. The issue doesn't expose credit card info or social security numbers, but does provide enough information for a social engineering attack.

I have contacted the owner, and he seemed surprised and somewhat sincere in his concern. He doesn't run the website, and said he was going to contact the people who do to take care of the issue. It has been a couple weeks since I heard from him, and the site hasn't been fixed.

I don't want to cost this guy business, because he does have a good reputation on this site. I had a fine experience with him as a customer. However I also feel an obligation to my HBT bretheren. I don't want anyone to fall victim to someone due to this security issue.

I think I will contact him again to see where this stands. I don't want to threaten him with outing him on HBT, but I don't want to hang you guys out to dry either. The issue is serious enough that I won't order from this site again until it is fixed.

I would like some opinions on what course of action you would recommend. At what point do you think I should out the guy? I have given him seveal weeks and nothing has happened.

Flyangler and MoRoToRiUm, i know you guys know the place from our conversation at the homebrew meeting, but please don't mention the stores name at this point if you post in this thread.
 
Not really protecting anyone if we don't know where it is. Maybe more folks mentioning something to the shop will help get things moving.
 
i have no idea what webshop you are talking about, but what is the issue?
I remember a web merchant site i visited years ago that had an issue where, if someone left the site without proberly loggin off, the next person to hit the site actually picked up where the other guy left off. HUGE problem, lol
 
Kilted Brewer said:
Not really protecting anyone if we don't know where it is. Maybe more folks mentioning something to the shop will help get things moving.
Click to expand...

I agree that could be a plus. However I know it would cost the guy a few sales, and while ultimately it is his site, I know he doesn't run the site, and it was the webdesigner that missed this.

Kronin said:
i have no idea what webshop you are talking about, but what is the issue?
I remember a web merchant site i visited years ago that had an issue where, if someone left the site without proberly loggin off, the next person to hit the site actually picked up where the other guy left off. HUGE problem, lol
Click to expand...

the issue is that if you know or can guess at a order number, it will show you the order without logging into the site. It shows items such as order date, the items ordered, ship to and bill to address, type of card used.

I know that doesn't sound like the keys to the kingdom, but imagine this. I get a phone call, and this is the converstaion:
"Hi this is bob, from xxxxx.com. You placed an order with our site on 1/20/09. You ordered items X,Y and Z. We have your bill to and ship to address as the same and they are 123 fake st anytown usa. Your confirmation number is 12345. It shows that you used a Visa to pay for your order. We had a problem with processing your card, and I need it to be run again. What is the card number?"

I respond " Well what number do you have?"

Bob:"Due to our stringent security standards, the card number is even hidden to me. I can't see it."

The amount of information that Bob gave me sounds like enough to convince me he is an employee of that company. It is information that is so specific, that you shouldn't be able to find it out. I would possibly give that person my credit card number.
 
Steve,

This is a tough one and I know you've been struggling with the best way to address this issue; on one hand, you want to alert HBTers to any potential issues involving identity threft and on the other, you don't want to drag the vendor's reputation through the mud on something that is somewhat out of his control. My gut tells me that this should be dealt with privately; I imagine any interested parties reading this thread would PM you about this matter.

Jason
 
Tough one. When you first posted this, I had no idea what you are talking about, but I understand now as far as the security issue goes. I have looked at the sites that I have ordered from, and it does not seem that they allow this type of access you are describing.

I agree though, it should be kept private. Maybe the owner is trying to get it fixed and is not getting the feedback from his developer (developer says it is safe, blah, blah). But I would e-mail the owner again and put a little pressure on him, show him this thread and maybe he will realize there is a problem. You have to be sure that if you were to release the sites name, I personally confirmed the problem, I would not order form them until the problem was fixed.

One last thought: have you ordered from this site? Maybe you could inform your credit card company, they have a vested interest in not having this type of problem. Maybe hearing it from them would make the guy move a little more.
 
One last thought: have you ordered from this site? Maybe you could inform your credit card company, they have a vested interest in not having this type of problem. Maybe hearing it from them would make the guy move a little more.
Click to expand...

While I hate being cryptic on this issue (as I know the vendor of whom Steve speaks, though I've not noticed the issue he's talking about), I think it's safe to say conservatively that probably 75% of HBT membership has ordered from this site in the past for non-ingredient supplies.

I certainly want to see resolution on this issue.

Jason
 
This thread is pretty lame, in my opinion. It just stirs up fear with out much remedy. If it had been on how to avoid fraud and just included the post about the phone call senerio it would have been helpful. As it stands it make me feel EVERY shop ccould be the problem shop.

Why not say "It is my feeling that whatever.com has some security issues. It is only my opinion and I have contacted them to clear it up."

PayPal baby!
 
Brewpastor said:
This thread is pretty lame, in my opinion. It just stirs up fear with out much remedy. If it had been on how to avoid fraud and just included the post about the phone call senerio it would have been helpful. As it stands it make me feel EVERY shop ccould be the problem shop.

Why not say "It is my feeling that whatever.com has some security issues. It is only my opinion and I have contacted them to clear it up."

PayPal baby!
Click to expand...

Easy with PayPal shout out..... I had to cancel my bank card because someone stole my info from paypal and charged a bunch of crap. They made it right....but nothing is totally secure.....
 
Two problems with this thread:

Why post if you're not going to tell us what the shop is? I've no problem with you contacting them first but just hold off on the post.

This really is not that large of a security hole. This isn't that unusual of a practice and IMO isn't even that big of a deal. While a bit more info than order number should be required to get this information, it's not particularly incriminating or outside of what you'd be able to get without much trouble from a lot of online vendors.

To me this is a minor issue that could have been remedied easily by the vendor without this drama. You're stirring people up over a minor issue.
 
Brewpastor said:
It just stirs up fear with out much remedy. If it had been on how to avoid fraud and just included the post about the phone call senerio it would have been helpful.
Click to expand...

Correct, there is no remedy as of this point. That is why I was asking advice. I wanted to hear from others at what point it is recommended to go from handling it private to publicly outing the company.

Brewpastor said:
Why not say "It is my feeling that whatever.com has some security issues. It is only my opinion and I have contacted them to clear it up."
Click to expand...

Because I feel that would cost this company orders. I believe the person running this company isn't the one who caused this issue, it was the web designer. I don't want this persons reputation ruined over something like this. I felt like I wanted to give them a chance to clear it up, and due to the amount of time that has passed, I was wondering if the "next step" was appropriate yet.



Kilgore_Trout said:
Two problems with this thread:

Why post if you're not going to tell us what the shop is? I've no problem with you contacting them first but just hold off on the post.
Click to expand...
I did hold off on the post. I contacted the company on January 20th about the problem. It has been 18 days since reporting the issue and it is yet to be resolved.



Kilgore_Trout said:
This really is not that large of a security hole. This isn't that unusual of a practice and IMO isn't even that big of a deal. While a bit more info than order number should be required to get this information, it's not particularly incriminating or outside of what you'd be able to get without much trouble from a lot of online vendors.
Click to expand...

I agree this isn't as big as listing everyones credit card number on the homepage, but that doesn't mean it isn't something worth pursuing. In my eyes the risk is large enough that I won't order from this compay again until it is rectified.

I disagree this it isn't an unusual practice. I have never ordered from a site that allows you to access this much personal information without at least logging into the site. This information is available to anyone able to guess at a confirmation number.
 
And I think it is a useful post.

The change I am making in light of this post is to respond to a call on an order: "I will call you right back, for xxx reason. What is the number?"

Write down the number (if they give you one...). Hang up and call the company back at the known contact.
 
stevea1210 said:
I agree this isn't as big as listing everyones credit card number on the homepage, but that doesn't mean it isn't something worth pursuing. In my eyes the risk is large enough that I won't order from this compay again until it is rectified.

I disagree this it isn't an unusual practice. I have never ordered from a site that allows you to access this much personal information without at least logging into the site. This information is available to anyone able to guess at a confirmation number.
Click to expand...

I didn't realize it had been so long, in that case they've wasted their chance to fix it IMO. You did a good thing by bringing it to their attention and if you were ignored then outing them is the next step.

Plenty of sites let you see your order invoice with just an order number, any site that allows you to buy as a "guest" usually does. I don't think it's a good practice by any measure, just that it's not so far out of the norm that I'd call the designer incompetent.
 
Because I feel that would cost this company orders.
Click to expand...

Instead, posting the vague information you did may cause people to delay their orders, costing all potential companies orders.

I did hold off on the post. I contacted the company on January 20th about the problem. It has been 18 days since reporting the issue and it is yet to be resolved.
Click to expand...
In my eyes the risk is large enough that I won't order from this compay again until it is rectified.
Click to expand...

Yet you are depriving others of the ability to make the same decision because you deem that protecting the merchant is more important than protecting the privacy of HBT members. In fact, maybe a drop in orders would motivate the merchant to act more expediently to fix the problem?

I disagree this it isn't an unusual practice. I have never ordered from a site that allows you to access this much personal information without at least logging into the site. This information is available to anyone able to guess at a confirmation number.
Click to expand...

By providing the recipe for how this issue can be exploited, anyone who reads this thread can visit the major stores, check for the vulnerability and access people's (including potentially my and your own) information now. It would have been much better if you had identified the store and kept the specific issue to yourself.
 
chefmike said:
And I think it is a useful post.

The change I am making in light of this post is to respond to a call on an order: "I will call you right back, for xxx reason. What is the number?"

Write down the number (if they give you one...). Hang up and call the company back at the known contact.
Click to expand...

A good recommendation, and I would suggest that is a smart way to handle anytime someone contacts you, and is asking for personal information.
 
Kilgore_Trout said:
I didn't realize it had been so long, in that case they've wasted their chance to fix it IMO. You did a good thing by bringing it to their attention and if you were ignored then outing them is the next step.
Click to expand...

That is the crossroads I am at now. I seem to be getting a mixture of responses of out them, keep it private, and just shut the hell up :).
 
ArcaneXor said:
Instead, posting the vague information you did may cause people to delay their orders, costing all potential companies orders.




Yet you are depriving others of the ability to make the same decision because you deem that protecting the merchant is more important than protecting the privacy of HBT members. In fact, maybe a drop in orders would motivate the merchant to act more expediently to fix the problem?



By providing the recipe for how this issue can be exploited, anyone who reads this thread can visit the major stores, check for the vulnerability and access people's (including potentially my and your own) information now. It would have been much better if you had identified the store and kept the specific issue to yourself.
Click to expand...


This is the whole part I am struggling with. I don't want any HBT'er to have an issue, but I also don't want to damage what is otherwise a good reputation.

If I didn't respect the company, I would have outed him immediately, instead of giving him a chance.

If I didn't care for the HBT community, I wouldn't have posted the thread to begin with.
 
Stating that there is a threat out there that may put most the HBT community at risk, and not giving any useful information that is specific to that risk....

Sounds a lot like the previous presidential adminstration.....
 
Why not contact TxBrew or one of the other moderators with the full details. They can contact the vendor directly, get his side of the story and then post back whether or not it is an issue. I think all moderators will respect your wishes to keep the name private unless they vendor gives permission to post.
 
Also, for those who are crying about the OP being not forthcoming, take it at that.

He is -
A. Trying to protect the vendors rep.
B. Keeping an eye out for the HBT community.

Like he stated before, this isnt a SERIOUS issue, but could very well lead to a social engineering attack.

Heed the advise and be wise of ANY vendor who calls or emails you for more information. Regardless of what info they are able to provide you at the time.
-Me
 
I am torn here. On one side, all I know is some random vendor (that apparently many of us frequent) has a security issue. But, we don't know which one. So what do I do with that? Either keep going as planned or stop using ANY vendor. Giving me a warning about a danger, but not telling me how to avoid that danger is not fair, and is kind of pointless.

However, on the other side, you have told us what to watch out for - someone calling you with all the "private" details of the order and asking to verify credit card info. If that is the only use of that security risk, then OK.

1. At least we know what to look out for, assuming that is the only exploit.
2. But, now all of us will have a little less trust in our vendors, until we know which one has the risk.

So, an analogy goes something like this: There is a website we use often (but I am not going to tell you which one) that contains a dangerous virus, but hopefully, your antivirus software will protect you. What would you do if you heard that info?
 
I use citibank virtual cards.

Each online vendor gets their own cc number from me. If it's ever stolen or used without my permission, it's easy to track.

I agree with the original poster's NOT listing the business. But I would call the business again before posting.

B
 
I'm unclear as to what advice the OP is looking for. Since disclosing the vendor is clearly not something you'd like to do, which is fine, it appears that your choices are:

1. Stop shopping there and tell them why.
2. Continue shopping there and continue to alert them.

Also, on the vulnerability side....while it is correctable, its akin to somebody picking thru your trash as far as threat goes, and would still require disclosure of information on your account on a call not initiated by you.
 
stevea1210 said:
I have contacted the owner, and he seemed surprised and somewhat sincere in his concern. He doesn't run the website, and said he was going to contact the people who do to take care of the issue. It has been a couple weeks since I heard from him, and the site hasn't been fixed.
Click to expand...

With this paragraph you seem to be absolving the vendor of responsibility for the security issue but the contrary is true. The moment you informed him of the threat it became solely his responsiblity for exposing his customers to the threat.

The fact that he did not take the site down until it is repaired exhibits his lack of concern for his customers. Therefore you are protecting someone who does care to protect his own customers. How can you you respect him? The fact that he provides good service notwithstanding, he cares not a whit about his customer's financial well-being except in that he gets his money.

The fact that you know about it and yet will not give us the information necessary to avoid exploitation of this security threat (i.e. the store's name) makes you as morally culpable as the proprietor. The method you describe is not at all the only way that that information can be used against a person. The threat is much more serious than you describe.

Addendum: I bet you I could get the rest of your credit card number with just the information that you said that is viewable without ever contacting you in any way. It would take me less than five minutes. Guaranteed. But if I were really going to exploit the leak I would use the info to really do some damage. Unlike you, I will not provide a blueprint.
 
in any kind of security threat you have done right by contacting the owner of the site. but if the threat is still open and not corrected after several weeks then its time to let others know there might be a security breach and to hold off all orders until the issue is fixed. sorry if it hurts a site but the security of your friends and the public should be addressed at this point. take it for what its worth but you are not helping the community unless you let the community know of a threat like this.
 
This thread is worthless, it does nothing, solves nothing.

I am not ordering from any more online vendors since I dont know which one it is. Hows that for helping his business?

If it has been 3 weeks and this dude has not resolved the issue... um, I think he needs to be outed. Maybe a flurry of responses from us would prompt him to protect his customers.

What if there is a child molester on your street... but other than that, he is an OK guy. Are you going to tell your neighbors, friends, that he lives there so that they are aware and can protect thier children? Or, wuss out so that you dont hurt is "reputation".

I think there is a huge disservice done by not saying who this is. If this vendor is a stand up vendor, and deserves to be "protected", then he will rectify the issue in a short time and not have to worry about losing business. If he is not that type of vendor, and wont fix it, then he isnt worth protecting is he?

Pol
 
bookmark to look at this post when I am sober :).

I do web app security for a living. Maybe I can provide some useful advice to the owner of the site.
 
s3n8 said:
bookmark to look at this post when I am sober :).

I do web app security for a living. Maybe I can provide some useful advice to the owner of the site.
Click to expand...

And that is what makes this thread useful and the HBT community a great thing!

:rockin:
 
chefmike said:
And that is what makes this thread useful and the HBT community a great thing!

:rockin:
Click to expand...


Except that the owner of the site does not care about web security and certainly does not think it is a priority. ( Judging by the fact that it has been 19 days since he was alerted.) Besides, The harm has really already been done because it is now open information for the unscrupulous out there that there is a breach to be exploited.

If I'm a cybercriminal, making a living from farming info, I have been mining that site for information since 5 minutes after this thread was opened. (The five minutes being the time it took me to figure out which of at most 5 sites has the vulnerability.)
 
The Pol said:
This thread is worthless, it does nothing, solves nothing.
Click to expand...

I have to disagree:
1)We are now aware of this problem and can look out for suspicious activity on credit cards and phone calls.
2)We can make the vender aware of this tread and our concerns about the seriousness of the matter. That should encourage him/her to act promptly on the matter.

Giving the name of the vender would crush there online business and likely all together depending on there % of online business. I don't think they deserve that. I say give them a chance to solve the problem now that we are aware of it. If it is not solved or if the site is not shut down in a timely manner , then give us a name.

The poster did not have to inform us at all. I for one appreciate the information given.
 
Larstram said:
I have to disagree:

Giving the name of the vender would crush there online business and likely all together depending on there % of online business. I don't think they deserve that. I say give them a chance to solve the problem now that we are aware of it. If it is not solved or if the site is not shut down in a timely manner , then give us a name.
Click to expand...

stevea1210 said that he alerted the vendor on Jan 20. That's 19 days he's had to correct the problem. Seems like 18 more days than it should have taken.
 
ottobrew said:
stevea1210 said that he alerted the vendor on Jan 20. That's 19 days he's had to correct the problem. Seems like 18 more days than it should have taken.
Click to expand...

I agree that if there is ANY problem that is a threat to the costumer, the site should have been taken down and the problem corrected on day one! 19 days later says to me that the vendor doesn’t care about his costumers, and is more concerned about himself and his bottom line. Personally I think it is an injustice to us all that after 19-20 days the problem hasn’t been fixed. I too am going to hold off on ALL my online purchases until I see a resolve to this thread, not for feeling threatened but for the principal of it. I think we ALL should push a little to get a resolve to this.
I thank the OP for the heads up.
Cheers
JJ
 
OK, couple things here now that I have tried to read most of these posts...

The original poster did the right thing by notifying the vendor. The vendor stated that he did not run the website, so it is not a trivial change that he can "just make". I do not agree with posting the half information here, that just gets people panties in a bunch. 19 days is not sufficient time to make a non-trivial change to a production website. Especially since there is a 3rd party involved.

For all of you debating outing the guy vs keeping it under wraps, read up on full disclosure vs responsible disclosure. This has been debated to death.

Ok, so based on where this thread is right now, I would suggest the OP sends a link to this thread to nudge the vendor in the right direction. In the big scheme of things, this is really not a high risk finding. This vulnerability in conjunction with some other information could lead to a compromise of personal information. This means that there would need to be social engineering involved to game the system. A. this is too hard, since stolen identities go for about $2 in bulk on the black market. B. unless the identity thief is specifically targeting YOU, it is never likely to be exploited. I am not trying to make light of this situation, but I have found way worse things in way more important sites.

Bottom line, the guy needs to fix the site, but 19 days is not enough time. Chances are he does not fully understand the attack scenario. To the vulnerable site/vendor, the fix is relatively easy... Force authentication on the order history page, or ensure the orderID is sufficiently long and random so it can not be easily guessed e.g. >32 alphanumerics. To everyone else, keep shopping online, but remain vigilant and skeptical of strange calls asking for personally identifiable information (so business as usual) ;).
 
Larstram said:
I have to disagree:
1)We are now aware of this problem and can look out for suspicious activity on credit cards and phone calls.
2)We can make the vender aware of this tread and our concerns about the seriousness of the matter. That should encourage him/her to act promptly on the matter.

Giving the name of the vender would crush there online business and likely all together depending on there % of online business. I don't think they deserve that. I say give them a chance to solve the problem now that we are aware of it. If it is not solved or if the site is not shut down in a timely manner , then give us a name.

The poster did not have to inform us at all. I for one appreciate the information given.
Click to expand...

1) You dont look at your CC charges already? No help
2) Make WHAT vendor aware? All of them? We dont know which one? No help
3) Give him time... like more than a month? I can do a lot in 19 days, if I really WANT to. But we are just giving him excuses now not to have it fixed, no help.

This thread never had a point. You are not normal if you dont always show some concern for security when ordering on the web. You are not normal if you dont already monitor all of your CC charges. So, again, this thread does nothing. IMHO just a waste of bandwidth or whatever you call it.
 
Good news everyone.

I emailed the owner of the site again today. He called me shortly after that and we had a great conversation. He called the company that runs his site again, and talked to them about what could be done.

They have removed the offending portion of the site. The only way to see any personal information is too now log into your account on the site. I verified, and tried to get to the information, and was unable to.

I did give the owner of the site my word that since the issue has been resolved, I wouldn't divulge his companies name. At this point revealing it would serve no purpose as the security issue has been rectified.

Thanks to those that posted their opinion on what to do, even those whose opinion weren't exactly that positive. It showed there was no consensus and was a clear divide between all of the options I had.


Thanks to Yoop for unlocking the thread so a conclusion could be posted.
 
Thanks for the update. I am glad you were able to help in getting the issue resolved.
 

Similar threads

R
Seltzer question, not sure where it is supposed to go
Replies
2
Views
261
redrocker652002
R
L
Unique "shaken baby" mead issue
Replies
5
Views
357
MightyMosin
MightyMosin
MaxStout
I've been invited to do a pro/am brew. I'm stoked!
2
Replies
66
Views
4K
Hoppy2bmerry
Hoppy2bmerry
S
Water profile advice
Replies
12
Views
901
stiray
S
H
Houston CO2
Replies
4
Views
184
Houston_CO2
H

Latest posts

Back
Top