"It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name"
By Tony Hallett, Munir Kotadia, Matt Loney
Published: 14 November 2003 18:45 GMT
A major security flaw was exposed this afternoon on the website of UK retailer B&Q, www.diy.com. It allowed a potential hacker relatively easy access to customers' personal details, potentially including credit card numbers.
The flaw, which was discovered by a silicon.com reader, made it possible to log in under accounts of other B&Q customers with little or no technical knowledge. Once logged in, it was possible to view or change the personal details of that customer - including full name, delivery address, phone number and email address. Once access to an account was gained, if the customer had entered their credit card details, it was also possible to order goods on their account.
B&Q customer John Dunbar said he was horrified when told about the security flaw by silicon.com sister site ZDNet UK.
"The thing is you assume that big companies like this have sorted it out and that the security is there," he said. "You don't for a minute think that other people can get access to your details. It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name."
According to the security notice on B&Q's website, every online transaction is checked by the company's "fraud control systems" and "in the unlikely event of fraudulent or unauthorised use" the company promises to refund any money received by B&Q but it stipulates that the customer must first notify their credit card company and B&Q directly (0870 0101 006) or through the company's website.
Neil Barrett, security expert and visiting professor at Cranfield University, said B&Q had made a very basic error on its site.
"It's a malformed SQL query. The data from the form [where a password should be entered] should go into a query, from the web server to a back end database. It's the form to query part that is being mishandled," he said. "It's very easy to make those sorts of errors. And very simple to fix."
Matt Louth, head of the technology team at B&Q Direct, said the site was promptly made secure once informed of the weakness by silicon.com.
"We try to protect our customers' interests and we will find a more secure way" for them to log in, he said.
B&Q's website and development is handled in-house.
Matt Loney and Munir Kotadia write for ZDNet UK.
Some people are so niave, to believe a 'big compan...
Anonymous
They could also try securing their wireless networ...
Anonymous
The problem is that many large businesses think th...
Anonymous
This is a problem of quality assurance and alpha t...
Antony Booth
'Some people are so niave...'
These people are ...
Mike Knowles
Ideally you will have come from a credit card/ banking background. Business Analyst. You will have recent experience of working within Bank that ...
A leading retail banking organisation, based in London (WC) currently has a vacancy for a Risk Analyst to join the Credit Card Risk Analytics team. ...
You will be reponsible for:Driving forward with innovative technology solutions that will support / realise both technology and business and drive ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business
Jon Collins Is losing a mobile device really such a big deal? How to minimise the damage to your business