
"It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name"
By Tony Hallett, Munir Kotadia, Matt Loney
Published: 14 November 2003 18:45 GMT
A major security flaw was exposed this afternoon on the website of UK retailer B&Q, www.diy.com. It allowed a potential hacker relatively easy access to customers' personal details, potentially including credit card numbers.
The flaw, which was discovered by a silicon.com reader, made it possible to log in under accounts of other B&Q customers with little or no technical knowledge. Once logged in, it was possible to view or change the personal details of that customer - including full name, delivery address, phone number and email address. Once access to an account was gained, if the customer had entered their credit card details, it was also possible to order goods on their account.
B&Q customer John Dunbar said he was horrified when told about the security flaw by silicon.com sister site ZDNet UK.
"The thing is you assume that big companies like this have sorted it out and that the security is there," he said. "You don't for a minute think that other people can get access to your details. It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name."
According to the security notice on B&Q's website, every online transaction is checked by the company's "fraud control systems" and "in the unlikely event of fraudulent or unauthorised use" the company promises to refund any money received by B&Q but it stipulates that the customer must first notify their credit card company and B&Q directly (0870 0101 006) or through the company's website.
Neil Barrett, security expert and visiting professor at Cranfield University, said B&Q had made a very basic error on its site.
"It's a malformed SQL query. The data from the form [where a password should be entered] should go into a query, from the web server to a back end database. It's the form to query part that is being mishandled," he said. "It's very easy to make those sorts of errors. And very simple to fix."
Matt Louth, head of the technology team at B&Q Direct, said the site was promptly made secure once informed of the weakness by silicon.com.
"We try to protect our customers' interests and we will find a more secure way" for them to log in, he said.
B&Q's website and development is handled in-house.
Matt Loney and Munir Kotadia write for ZDNet UK.
Some people are so niave, to believe a 'big compan...
Anonymous
They could also try securing their wireless networ...
Anonymous
The problem is that many large businesses think th...
Anonymous
This is a problem of quality assurance and alpha t...
Antony Booth
'Some people are so niave...'
These people are ...
Mike Knowles
Data Protection Commissioner washes hands of Powergen
Surfer uncovers 'millions' of online bank accounts
E-banks told to carry the can for online fraud
Powergen in security scandal - thousands of debit card details open to abuse
Bank Employs SMS Messaging System to Protect Customers From Credit-Card Fraud
Experience and knowledge of the Credit Card industry. CUSTOMER IMPACT STATEMENT The Technology Division has a Contract role for a Senior Business ...
Edinburgh thetrainline.com is the leading independent retailer of train tickets online. s Fraud Strategy by and preventing transactions which present ...
Requirements, Use Cases, Process maps.Experience of business process mapping & designExperience of using Use Cases to structure analysisExperience of ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy