Quantcast
Subscribe to magazine

FTD.com Reports Security Glitch

Customer data briefly exposed, now repaired, flower retailer says.

Todd R. Weiss, Computerworld

  • 0 Yes
  • 0 No

Just as it was preparing for the busy Valentine's Day holiday today, flower retailer FTD's Web site had a security flaw that allowed some online customers to view information about other customers as they ordered on FTD.com.

Customers Notified

In a terse e-mail statement Friday, FTD acknowledged the problem and called it "a brief technical issue in which a limited number of customers may have been able to view a subset of another customer's data."

"The company immediately resolved the situation and we have added additional levels of security to our Web site," the statement said. "We take protecting the integrity and confidentiality of our customers' personal information very seriously and continue to work diligently to uphold the industry's highest privacy and security standards."

Despite those assurances, though, FTD as of midafternoon Friday hadn't posted an announcement about the security problem on its Web site to alert customers about it.

Spokesperson Lisa Witek said affected customers were contacted directly by FTD. "The very small amount of people...we have been in touch with," she said. She declined further comment about the incident.

FTD hasn't said how many customers were affected or what information was viewable on the Web site.

Bugtraq Alerted

The flaw was apparently discovered Wednesday by a systems security technician who posted a security advisory about the problem on the Windows NT Bugtraq mailing list.

In his security advisory, Gerald Quakenbush wrote that the flaw on the site allowed credit card information to be obtained by "any hacker with kindergarten-level skills."

"It is trivial to retrieve customer data, including credit card numbers, expiration dates, account names, shipping addresses, and anything else FTD knows about the consumer," Quakenbush wrote. The problem was due to "deeply flawed session-tracking logic" and server configuration flaws that allow users to connect without using Secure Sockets Layer protocols.

"These issues are independent of each other; however, the ability to connect without SSL simplifies the attack," he wrote. He directly notified FTD of the problem, he said in his posting. Quakenbush couldn't be reached for comment Friday.

Computerworld
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.

  • Recommend this story?
  • 0 Yes
    0 No

Print 65% more pages than with refilled inks. Trust Original HP Inks. Hit Print Reliably.

Featured APC Accessories For Your System
10% Off Entire Cart at Online Store

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 2007 Microsoft Office Suites Comparison This paper compares and contrasts four suites of the 2007 Microsoft Office system: Microsoft Office Standard 2007, Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007 and Microsoft Office Ultimate 2007. This paper is intended to help organizations understand the applications and capabilities offered, and to identify the suite that best fits their needs.
  • Windows Vista Migration: The Business Proposition It's not so much a matter of "if" but "when" for most organizations regarding migration to Windows Vista. Laying the groundwork now for this migration can yield higher ROI than waiting until later. This Computerworld Technology Briefing explains it all.

PC World's Marketplace