Half of U.K. shopping websites 'open to attack'

Powered by SC Magazine

Security flaws in half of U.K. retailers' websites leave them open to attack, new research found.

The vulnerability centres on the "forgotten password" feature on the log-in pages that email shoppers their passwords. According to penetration testing company SecureTest, many of these websites can be subjected to a "brute force" or enumeration attack. It found that of the 107 retailers' sites visited, 54 of the sites, 50.5 per cent, could be vulnerable to this type of attack.

Enumeration is the process of looking for differences in the response from an application when submitting valid and invalid user accounts. On a retailer's website, the username or registered email address can be inserted correctly and incorrectly on the "forgotten password" page in order to look for these differences.

If a valid username is entered, the application will respond stating that a password will be sent to the user by email. If an invalid username is entered, the application may respond with "invalid account name." Using this information, scripts can be written to try numerous account names, exploiting these differences in response. While this is a time-consuming process, over time a list of valid accounts can be compiled.

With this list of valid email addresses hackers can use brute force techniques to attack the application and crack account passwords. Both the username and password can then be used to successfully log-in to user accounts, allowing hackers to purchase goods or extract confidential data, such as postal addresses and credit card details.

Some retailers have put in place a "lock-out" on user accounts after a fixed number of failed password attempts to combat this type of attack. But SecureTest said that while this appeared a good idea, it left the retailer open to other forms of abuse. It said there was also a risk that an attacker would bombard valid accounts with bad passwords, locking out customers, creating in effect a denial of service (DoS) attack with the application blocking legitimate users through an aggressive lock-out policy.

Ken Munro, managing director for SecureTest, said that the research on retailer websites "repeatedly found that enumeration is possible."

"There's nothing more serious than gaining access to user accounts, particularly when users credit card details are stored within, and the potential cost to the retailer in terms of loss of consumer confidence could be catastrophic." said Munro. "Alarmingly, this problem is not limited to retail. Most websites with a password reminder function are vulnerable to enumeration attacks."

Munro urged retailers to put in place security features such as 'time out' feature on the log-in forms, no permanent lock-out on the log-in form and to keep error messages on log-in forms generic to prevent attackers from gaining clues of users' details.

Copyright © SC Magazine, US edition

Top Stories
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
What InfoSec can learn from the insurance industry
[Blog post] Another way data breach laws could help manage risk.
A ten-point plan for disrupting security
[Blog post] How can you defend the perimeter when it’s in the cloud?
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx