X
Business
Home Business Enterprise Software

Hackers trumpet IBM software hole

Two hackers have published a program that breaks the encryption-protecting passwords on servers running older versions of IBM's e-commerce software.
Written by Robert Lemos, Contributor
Two hackers have published a program that breaks the encryption-protecting passwords on servers running older versions of IBM's e-commerce software, highlighting the possibility that dozens--if not hundreds--of sites have been left open to digital thieves.

By using the tool, as well as a specially formatted Web address that takes advantage of a second flaw in server software, anyone can get the usernames and passwords for every account, including the administrator's, on sites using IBM's Net.Commerce and WebSphere Commerce Suite software.

"Once you got the username and the decrypted password, you can log in at the site," the two hackers, identified only as "xor37h" and "darkman," wrote in instructions that accompanied the hacking tool.

A quick search of the Web found almost a dozen Web sites that are vulnerable to the one-two security punch, including three university stores, two online jewelry sites, a shoe store, a bicycle manufacturer, a home-appliance maker and a bookstore. In their online description of the tool, the two hackers reported that their search of the Web revealed more than 300 vulnerable sites.

IBM confirmed the flaw in a posting Thursday to the Bugtraq security mailing list, and it asked customers using its older servers to use existing patches to fix the problems.

This "could expose some Web sites that have not taken preventative action," Ed Kilroy, general manager of IBM's Electronic Commerce group, said in a statement to customers.

The flaws affect Version 4.1 of IBM's WebSphere Commerce Suite and version 3.2 of Net.Commerce, Kilroy said in the statement. Users of the latest version of IBM's WebSphere server software are protected, as are people who have installed the fixes recommended by IBM last month.

To break into a site, an online thief would first use a specially formatted Web address, or URL, that executes unsecured macros on the Web commerce server. The macro flaw, discovered by Rudi Carell and posted to the Bugtraq mailing list last month, causes the software to list every account on the system and the encrypted passwords.

IBM had previously identified the problem with the software's macros in February 1999 and recommended a workaround at the time.

Xor37h and darkman found that most servers use a fixed key to encrypt the password, making it easy to decrypt them. While a feature on IBM's servers allows the site's administrator to change the key, most administrators have not, they said in their online statement.

The hacker duo asked others not to exploit the flaws. Doing so "is anything but legal and we strong advice (sic) people not to use the application illegally," they said.

Their site detailing the flaw and providing the tool appeared to be unavailable on Thursday.

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

GOTRAX 4 electric scooter

The Jackery Explorer 1000 is one of the best portable power stations you can buy, and it's on sale

AI coding concept

Can Meta AI code? I tested it against Llama, Gemini, and ChatGPT - it wasn't even close