FTD.com Reports Security Glitch

Just as it was preparing for the busy Valentine's Day holiday today, flower retailer FTD's Web site had a security flaw that allowed some online customers to view information about other customers as they ordered on FTD.com.

Customers Notified

In a terse e-mail statement Friday, FTD acknowledged the problem and called it "a brief technical issue in which a limited number of customers may have been able to view a subset of another customer's data."

"The company immediately resolved the situation and we have added additional levels of security to our Web site," the statement said. "We take protecting the integrity and confidentiality of our customers' personal information very seriously and continue to work diligently to uphold the industry's highest privacy and security standards."

Despite those assurances, though, FTD as of midafternoon Friday hadn't posted an announcement about the security problem on its Web site to alert customers about it.

Spokesperson Lisa Witek said affected customers were contacted directly by FTD. "The very small amount of people...we have been in touch with," she said. She declined further comment about the incident.

FTD hasn't said how many customers were affected or what information was viewable on the Web site.

Bugtraq Alerted

The flaw was apparently discovered Wednesday by a systems security technician who posted a security advisory about the problem on the Windows NT Bugtraq mailing list.

In his security advisory, Gerald Quakenbush wrote that the flaw on the site allowed credit card information to be obtained by "any hacker with kindergarten-level skills."

"It is trivial to retrieve customer data, including credit card numbers, expiration dates, account names, shipping addresses, and anything else FTD knows about the consumer," Quakenbush wrote. The problem was due to "deeply flawed session-tracking logic" and server configuration flaws that allow users to connect without using Secure Sockets Layer protocols.

"These issues are independent of each other; however, the ability to connect without SSL simplifies the attack," he wrote. He directly notified FTD of the problem, he said in his posting. Quakenbush couldn't be reached for comment Friday.