M&S error sparks fears of hack attack

silicon.com viewer Stuart Hillston discovered the security hole last Saturday when he was surfing the marksandspencer.com site. Hillston clicked randomly on a broken link, which created an extensive error message. The message contained confidential material such as passwords, credit card dummies and other log-in information.

Speaking exclusively to silicon.com, Hillston said: "I clicked on one of the links and my screen was swamped with data. I figured out it was something that should not have been there once I looked at the information."

Neil Barrett, technical director at security consultancy IRM, who has worked on projects with the police, HM Inland Revenue, Customs & Excise and DERA, said: "The error message was created because of work being carried out on the site. Instead of the error message being a standard 'page cannot be found', the broken link created an extensive log file from Marks & Spencer's server."

Barrett - who has seen the error message - claims it contained information that could easily lead a cracker to confidential customer details. "The message gives out enough information for a nasty hacker attack. Information such as server passwords, log-ins and credit card dummies brings the attacker a lot closer to the back door - and therefore access to customer databases," he said.

Spencer Pratt, security specialist at Defcom, a hacking prevention company, backed up Barrett's claim. "The information should have never been available on the internet. It gives user names, system log-ins, operating system information, IP addresses, credit card limits - all of which gives anyone easy access into their systems. If the back end systems are holding customer data, it could have been easily accessed," he said.

Steve Wind-Mozley, research and development manager for marksandspencer.com, admitted that there was an error, but claims customer details were never at risk.

He said: "We don't believe credit card details were exposed on that file because they are not stored there. At no time do we believe the security of our customers' information was compromised."

SILICON SAYS: Marks and Spencer is one of the UK's most well-known and respected retail brands. Any online security lapse by such a 'big name' company is seriously damaging to consumer confidence. It should be setting standards in web security, not damaging ecommerce for every e-tailer in the land.

silicon.com is currently campaigning to give the Data Protection Commission the resources necessary to enforce the protection of consumer data on the internet. We want ecommerce companies to Back the Act. If you want to lend your support, mail us at backtheact@silicon.com.