"It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name"
By Matt Loney, Munir Kotadia and Tony Hallett
Published: 14 November 2003 18:45 GMT
A major security flaw was exposed this afternoon on the website of UK retailer B&Q, www.diy.com. It allowed a potential hacker relatively easy access to customers' personal details, potentially including credit card numbers.
The flaw, which was discovered by a silicon.com reader, made it possible to log in under accounts of other B&Q customers with little or no technical knowledge. Once logged in, it was possible to view or change the personal details of that customer - including full name, delivery address, phone number and email address. Once access to an account was gained, if the customer had entered their credit card details, it was also possible to order goods on their account.
B&Q customer John Dunbar said he was horrified when told about the security flaw by silicon.com sister site ZDNet UK.
"The thing is you assume that big companies like this have sorted it out and that the security is there," he said. "You don't for a minute think that other people can get access to your details. It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name."
According to the security notice on B&Q's website, every online transaction is checked by the company's "fraud control systems" and "in the unlikely event of fraudulent or unauthorised use" the company promises to refund any money received by B&Q but it stipulates that the customer must first notify their credit card company and B&Q directly (0870 0101 006) or through the company's website.
Neil Barrett, security expert and visiting professor at Cranfield University, said B&Q had made a very basic error on its site.
"It's a malformed SQL query. The data from the form [where a password should be entered] should go into a query, from the web server to a back end database. It's the form to query part that is being mishandled," he said. "It's very easy to make those sorts of errors. And very simple to fix."
Matt Louth, head of the technology team at B&Q Direct, said the site was promptly made secure once informed of the weakness by silicon.com.
"We try to protect our customers' interests and we will find a more secure way" for them to log in, he said.
B&Q's website and development is handled in-house.
Matt Loney and Munir Kotadia write for ZDNet UK.
Some people are so niave, to believe a 'big compan...
Anonymous
They could also try securing their wireless networ...
Anonymous
The problem is that many large businesses think th...
Anonymous
This is a problem of quality assurance and alpha t...
Antony Booth
'Some people are so niave...'
These people are ...
Mike Knowles
Retail Banking/Credit Card background preffered but not essential Senior Marketing Analyst - London - Up to 40k + Excellent Benefits A Consumer ...
General Purpose The overall objective of this role is to support the development and growth of the global credit card practice within the ...
We are currently looking for a Risk Manager with fraud and operational experience for our client within the credit card payments industry. Risk ...
Agenda Setters 2008
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Naked CIO Naked CIO: Should you monitor staff? Somebody's watching you
Elinor Mills Why 1970s hackers had 'whiz kid' status Q&A: Kevin Mitnick - blackhat hacker turned good guy