Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
FTD.com Reports Security Glitch
Customer data briefly exposed, now repaired, flower retailer says.
Todd R. Weiss, Computerworld
Just as it was preparing for the busy Valentine's Day holiday today, flower retailer FTD's Web site had a security flaw that allowed some online customers to view information about other customers as they ordered on FTD.com.
Customers Notified
In a terse e-mail statement Friday, FTD acknowledged the problem and called it "a brief technical issue in which a limited number of customers may have been able to view a subset of another customer's data."
"The company immediately resolved the situation and we have added additional levels of security to our Web site," the statement said. "We take protecting the integrity and confidentiality of our customers' personal information very seriously and continue to work diligently to uphold the industry's highest privacy and security standards."
Despite those assurances, though, FTD as of midafternoon Friday hadn't posted an announcement about the security problem on its Web site to alert customers about it.
Spokesperson Lisa Witek said affected customers were contacted directly by FTD. "The very small amount of people...we have been in touch with," she said. She declined further comment about the incident.
FTD hasn't said how many customers were affected or what information was viewable on the Web site.
Bugtraq Alerted
The flaw was apparently discovered Wednesday by a systems security technician who posted a security advisory about the problem on the Windows NT Bugtraq mailing list.
In his security advisory, Gerald Quakenbush wrote that the flaw on the site allowed credit card information to be obtained by "any hacker with kindergarten-level skills."
"It is trivial to retrieve customer data, including credit card numbers, expiration dates, account names, shipping addresses, and anything else FTD knows about the consumer," Quakenbush wrote. The problem was due to "deeply flawed session-tracking logic" and server configuration flaws that allow users to connect without using Secure Sockets Layer protocols.
"These issues are independent of each other; however, the ability to connect without SSL simplifies the attack," he wrote. He directly notified FTD of the problem, he said in his posting. Quakenbush couldn't be reached for comment Friday.
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.
Full Windows 7 coverage
The Best of PC World
Featured APC Accessories
-
APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
-
APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.
People who read this also read:
Best Prices on Security Software
Norton Internet Security 2010 - 3 UsersPrice: $27.90
Norton 360 Version 3Price: $38.98
Norton Internet Security 2010 - 3 UserPrice: $27.90
Internet Security 2010Price: $24.95
Internet Security 2010Price: $33.54
Internet Security 2009Price: $15.99
-
Acer Laptop Center Forget the Mouse...check out the next generation multi-gesture touch screen technology from Acer.
-
Dell Shopping Center Check out great deals from Dell!
