- CNET NETWORKS UK BUSINESS SITES:
- atlarge.com
- BNET UK
- silicon.com
- SmartPlanet.com
- ZDNet.co.uk
"It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name"
By Matt Loney, Munir Kotadia and Tony Hallett
Published: 14 November 2003 18:45 GMT
A major security flaw was exposed this afternoon on the website of UK retailer B&Q, www.diy.com. It allowed a potential hacker relatively easy access to customers' personal details, potentially including credit card numbers.
The flaw, which was discovered by a silicon.com reader, made it possible to log in under accounts of other B&Q customers with little or no technical knowledge. Once logged in, it was possible to view or change the personal details of that customer - including full name, delivery address, phone number and email address. Once access to an account was gained, if the customer had entered their credit card details, it was also possible to order goods on their account.
B&Q customer John Dunbar said he was horrified when told about the security flaw by silicon.com sister site ZDNet UK.
"The thing is you assume that big companies like this have sorted it out and that the security is there," he said. "You don't for a minute think that other people can get access to your details. It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name."
According to the security notice on B&Q's website, every online transaction is checked by the company's "fraud control systems" and "in the unlikely event of fraudulent or unauthorised use" the company promises to refund any money received by B&Q but it stipulates that the customer must first notify their credit card company and B&Q directly (0870 0101 006) or through the company's website.
Neil Barrett, security expert and visiting professor at Cranfield University, said B&Q had made a very basic error on its site.
"It's a malformed SQL query. The data from the form [where a password should be entered] should go into a query, from the web server to a back end database. It's the form to query part that is being mishandled," he said. "It's very easy to make those sorts of errors. And very simple to fix."
Matt Louth, head of the technology team at B&Q Direct, said the site was promptly made secure once informed of the weakness by silicon.com.
"We try to protect our customers' interests and we will find a more secure way" for them to log in, he said.
B&Q's website and development is handled in-house.
Matt Loney and Munir Kotadia write for ZDNet UK.
Some people are so niave, to believe a 'big compan...
Anonymous
They could also try securing their wireless networ...
Anonymous
The problem is that many large businesses think th...
Anonymous
This is a problem of quality assurance and alpha t...
Antony Booth
'Some people are so niave...'
These people are ...
Mike Knowles
Based from their Berkshire HQ a leading name banking has the opportunity for a credit risk analyst to join them as a matter of urgency. Forget the ...
Credit card, Financial Services or Banking experience is preferred to some degree and must be prepared to enter a challenging environment to make a ...
The successful candidate will work closely with our technical director and account managers to deliver robust and innovative projects. To be ...
CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.
Stories from the web...
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved. Top of page
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
RSS Feeds
Martin Brampton Brampton Factor: Open source stands up for its rights Copyright can keep the movement alive...
Bob Tarzey The rise and rise of Infor Quocirca's Straight Talking: Where next for the apps giant?