[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Chapters/Indigo Website Personal Information Leak
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] Chapters/Indigo Website Personal Information Leak
- From: "Eric Paynter" <eric@xxxxxxxxxxxxxxx>
- Date: Wed, 7 Jul 2004 15:26:33 -0700 (PDT)
I. SUMMARY
The Chapters/Indigo website (http://www.chapters.indigo.ca/) is vulnerable
to user name guessing at the login screen and personal information leaks
(name and address) in the Wish List function.
II. BACKGROUND
Chapters/Indigo is the largest book vendor in Canada, having over C$800M
in annual revenue in the 12 months ending April, 2004. The
www.chapters.indigo.ca website offers books, CDs, DVDs, videos, and a
variety of gifts and jewelry for sale over the Internet.
III. IMPACT
Determining a matching username and password is very difficult. However,
guessing one or the other on its own is several orders of magnitude
easier. The system is nice enough to allow an attacker to work first at
getting user names, and them to attempt to guess passwords for the valid
names. Once a valid combination is found, the attacker has full access to
the user's account and can order items, have them shipped to alternate
overseas addreasses, steal credit card information, etc..
A wish list is keyed to an email address. If an attacker knows a user's
email address, they can use the wish list to determine the user's full
name and address. There is no warning that the website will give out this
information to arbitrary third parties. As a matter of fact, when the user
enters their personal information, they are repeatedly assured that their
personal information will be secure.
III. VENDOR NOTIFICATION
Chapters/Indigo was originally notified in November, 2003. There was some
discussion via email in an attempt to convince them that this was not
simply a user error. After several exchanges, they still would not
acknowledge that there was a problem, but they did indicate that
management had been informed of the situation and that the website would
be updated to be more "user friendly".
As of July 6, 2004, the problems still exist.
IV. SAMPLE EXPLOITS
1. User Name Leak in Login Screen
User names at www.chapters.indigo.ca are based on email addresses. At the
login page, by typing in a valid email address and invalid password, the
error "the password entered is not correct" is displayed. If an invalid
email address and some random (non-blank) password in entered, the error
"the e-mail address provided cannot be found" is displayed.
2. Personal Information Leak it Wish List Function
Equiped with a list of valid user names, an attacker may be able to obtain
additional personal information about users. If a user has created a Wish
List, then anybody can view it, simply by entering the user's email
address. The wish list not only displays the user's list of desired
products, it also allows anybody to purchase those products for the user.
If an item is selected from the Wish List and then the attacker proceeds
to "check out", the website will display the user's full name and address
as confirmation of the destination for shipping. This is *not* the name
and address from the attacker's profile. This is the name and address of
the Wish List owner, which was obtained simply by knowing the user's email
address.
V. WORKAROUNDS
1. User Name Leak in Login Screen
Find a new online retailer for your books etc..
2. Personal Information Leak it Wish List Function
Remove the shipping address from the wish list. This can be done by
following the "manage wish list" link. The default is to present the
user's last used shipping information, but this can be overridden to be
any arbitrary address, including null.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html