The vulnerability centres on the "forgotten password" feature on the log-in pages that email shoppers their passwords. According to penetration testing company SecureTest, many of these websites can be subjected to a "brute force" or enumeration attack. It found that of the 107 retailers' sites visited, 54 of the sites, 50.5 per cent, could be vulnerable to this type of attack.
Enumeration is the process of looking for differences in the response from an application when submitting valid and invalid user accounts. On a retailer's website, the username or registered email address can be inserted correctly and incorrectly on the "forgotten password" page in order to look for these differences.
If a valid username is entered, the application will respond stating that a password will be sent to the user by email. If an invalid username is entered, the application may respond with "invalid account name." Using this information, scripts can be written to try numerous account names, exploiting these differences in response. While this is a time-consuming process, over time a list of valid accounts can be compiled.
With this list of valid email addresses hackers can use brute force techniques to attack the application and crack account passwords. Both the username and password can then be used to successfully log-in to user accounts, allowing hackers to purchase goods or extract confidential data, such as postal addresses and credit card details.
Some retailers have put in place a "lock-out" on user accounts after a fixed number of failed password attempts to combat this type of attack. But SecureTest said that while this appeared a good idea, it left the retailer open to other forms of abuse. It said there was also a risk that an attacker would bombard valid accounts with bad passwords, locking out customers, creating in effect a denial of service (DoS) attack with the application blocking legitimate users through an aggressive lock-out policy.
Ken Munro, managing director for SecureTest, said that the research on retailer websites "repeatedly found that enumeration is possible."
"There's nothing more serious than gaining access to user accounts, particularly when users credit card details are stored within, and the potential cost to the retailer in terms of loss of consumer confidence could be catastrophic." said Munro. "Alarmingly, this problem is not limited to retail. Most websites with a password reminder function are vulnerable to enumeration attacks."
Munro urged retailers to put in place security features such as 'time out' feature on the log-in forms, no permanent lock-out on the log-in form and to keep error messages on log-in forms generic to prevent attackers from gaining clues of users' details.