Expert finds hole in shopping carts

Summary:More than 100 sites have improperly installed shopping carts that will give your credit card number to anyone.

LOS ANGELES -- Internet surfers can tap online shoppers' personal data, including credit card numbers, when common "shopping cart" software used by small retailers is improperly installed, an expert says.

A technician's warning Thursday on the Internet represents one of the most wide-ranging security breaches to hit online commerce.

Exposure of confidential information has always tempered Web shopping enthusiasm. Despite reservations, though, the government has cited private industry figures showing consumers spent $9 billion online last year.

The security breach was discovered by Joe Harris, a computer technician at Blarg! Online, a Seattle-area Internet service provider. He found the problem while examining operations on an online store hosted by his service.

More than 100 sites on the World Wide Web with the vulnerability were found by Harris, who believes "it's only the tip of the iceberg" and there are hundreds more with similar problems with improperly installed shopping cart software.

"There are so many would-be Web site developers out there who don't know how to set up an online store safely, but they don't tell their clients," Harris said Thursday.

"The last thing anyone wants to do is kill the golden goose of Internet commerce. But this isn't good," he said. "Full disclosure is the best policy. If the site doesn't have a privacy statement or if it doesn't clearly spell out how they secure their data, then shop elsewhere."

More than 100 sites
The Los Angeles Times reported Thursday that it managed to download more than 100 pages of credit card numbers, travel reservations, e-mail and other information from Internet sites.

"It has been a fear in my mind," Marilyn Schwab of Portage, Wis., whose private information was obtained by the Times, told the newspaper. "Now we know it is not as secure as we think it is."

Computer programs that are vulnerable to Web browsers if improperly installed include those from Order Form, Seaside Enterprises, QuikStore, PDGSoft and Mercantec.

"The sites didn't follow their guidelines. The (software) vendors shouldn't be blamed," Harris said.

Myrtle Beach, S.C.-based QuikStore spokesman Dwight Vietzke said only two of its estimated 700 users have reported problems with shopping cart installations.

"It's a case when human error comes into play," Vietzke said. "The server has to be set correctly. If they don't know it's a problem it just sits there (for all to see)."

The shopping cart software, if installed incorrectly, saves customer order information in an exposed file that can be viewed by anyone on the Internet, Harris said.

Just use a search engine
Web surfers can download files containing customer names, addresses, telephone and credit card numbers, expiration dates and order data simply by using a search engine like Hotbot or AltaVista and punching in a few simple search words.

"Those files aren't meant to be accessed by a Web browser. There is no reason for it to be listed there in the Web site tree," Harris said. "If it's not encrypted it shouldn't be there.

Online stores usually retrieve order information using encryption and other security measures, but the orders are sometimes placed in a file on the Web site's computer system that is easily accessible to an outside Web surfer.

"I don't think most companies see the magnitude of this. They have to take action very quickly," said Tara Lemmey, president of San Francisco-based Electronic Frontier Foundation, a nonprofit group that promotes online privacy.

When correctly installed, shopping cart software creates a file for confidential information that is inaccessible to outsiders.

Topics: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.