Quantcast
PCWorld.com is upgrading some back-end systems. Some site features, such as user registration, may be temporarily unavailable.
Subscribe to magazine

FTD.com Reports Security Glitch

Customer data briefly exposed, now repaired, flower retailer says.

Todd R. Weiss, Computerworld

  • 0 Yes
  • 0 No

Just as it was preparing for the busy Valentine's Day holiday today, flower retailer FTD's Web site had a security flaw that allowed some online customers to view information about other customers as they ordered on FTD.com.

Customers Notified

In a terse e-mail statement Friday, FTD acknowledged the problem and called it "a brief technical issue in which a limited number of customers may have been able to view a subset of another customer's data."

"The company immediately resolved the situation and we have added additional levels of security to our Web site," the statement said. "We take protecting the integrity and confidentiality of our customers' personal information very seriously and continue to work diligently to uphold the industry's highest privacy and security standards."

Despite those assurances, though, FTD as of midafternoon Friday hadn't posted an announcement about the security problem on its Web site to alert customers about it.

Spokesperson Lisa Witek said affected customers were contacted directly by FTD. "The very small amount of people...we have been in touch with," she said. She declined further comment about the incident.

FTD hasn't said how many customers were affected or what information was viewable on the Web site.

Bugtraq Alerted

The flaw was apparently discovered Wednesday by a systems security technician who posted a security advisory about the problem on the Windows NT Bugtraq mailing list.

In his security advisory, Gerald Quakenbush wrote that the flaw on the site allowed credit card information to be obtained by "any hacker with kindergarten-level skills."

"It is trivial to retrieve customer data, including credit card numbers, expiration dates, account names, shipping addresses, and anything else FTD knows about the consumer," Quakenbush wrote. The problem was due to "deeply flawed session-tracking logic" and server configuration flaws that allow users to connect without using Secure Sockets Layer protocols.

"These issues are independent of each other; however, the ability to connect without SSL simplifies the attack," he wrote. He directly notified FTD of the problem, he said in his posting. Quakenbush couldn't be reached for comment Friday.

Computerworld
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.

  • Recommend this story?
  • 0 Yes
    0 No
  • Great year-end deals
    for small business!

  • Get 24/7 live remote AT&T Tech Support 360* service along with select Lenovo* PCs (with Intel® Core™ 2 Duo processors) and save up to 200!

    Learn more

  • HP EliteBook* 6930p Notebook with Intel® vPro™ technology and a free HP Basic Docking Station - $641 instant savings!

    Learn more

  • *Other names and brands may be claimed as the property of others. ©2009 Intel Corporation. Intel, the Intel logo, vPro and Core trademarks of Intel Corporation in the United States and other countries. All rights reserved.

Dell End of Year Deals

People who read this also read:

  • 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
  • A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.

Sponsored Links