By Tony Hallett, Munir Kotadia, Matt Loney, 14 November 2003 18:45
NEWS A major security flaw was exposed this afternoon on the website of UK retailer B&Q, www.diy.com. It allowed a potential hacker relatively easy access to customers' personal details, potentially including credit card numbers.
The flaw, which was discovered by a silicon.com reader, made it possible to log in under accounts of other B&Q customers with little or no technical knowledge. Once logged in, it was possible to view or change the personal details of that customer - including full name, delivery address, phone number and email address. Once access to an account was gained, if the customer had entered their credit card details, it was also possible to order goods on their account.
B&Q customer John Dunbar said he was horrified when told about the security flaw by silicon.com sister site ZDNet UK.
"The thing is you assume that big companies like this have sorted it out and that the security is there," he said. "You don't for a minute think that other people can get access to your details. It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name."
According to the security notice on B&Q's website, every online transaction is checked by the company's "fraud control systems" and "in the unlikely event of fraudulent or unauthorised use" the company promises to refund any money received by B&Q but it stipulates that the customer must first notify their credit card company and B&Q directly (0870 0101 006) or through the company's website.
Neil Barrett, security expert and visiting professor at Cranfield University, said B&Q had made a very basic error on its site.
"It's a malformed SQL query. The data from the form [where a password should be entered] should go into a query, from the web server to a back end database. It's the form to query part that is being mishandled," he said. "It's very easy to make those sorts of errors. And very simple to fix."
Matt Louth, head of the technology team at B&Q Direct, said the site was promptly made secure once informed of the weakness by silicon.com.
"We try to protect our customers' interests and we will find a more secure way" for them to log in, he said.
B&Q's website and development is handled in-house.
Matt Loney and Munir Kotadia write for ZDNet UK.
Comments
There are 7 comments. Join the discussion
1. anonymous
Some people are so niave, to believe a 'big company must have good security' just because it is big is blatently stupid!
2. anonymous
They could also try securing their wireless networks. Our office is about .5 mile from a B&Q and their 802.11b network is broadcast unsecured all around the area.
3. anonymous
The problem is that many large businesses think they can build e-business systems "in house". But in my experience it is almost always more expensive, poor quality and less secure.
4. Antony Booth
This is a problem of quality assurance and alpha testing. It's not enough to test if a web application works. You must also attempt to manipulate it. The best way to secure your web application is to get it hacked first. If you don't do it yourself, someone else will and by then it will be too late.
5. Mike Knowles
'Some people are so niave...'
These people are trying to buy shower screens, not security services. Why should theybe considered as naive just because they trust the security statement of a huge retailer like B&Q?
6. Jamie Kershaw
If you "buy on-line" you take your chances, doesn't matter if the are a global company or your local retailer. Security is essential to any site with on-line purchasing, but security is never watertight, it's there just waiting to be exposed.
7. anonymous
I work for B+Q and this doesn't surprise me in the least. The place works on such tight profit margins that something has to give. I always thought that was restricted to our wages but it looks like internet security is another poorly funded area.