You are here: silicon.com > Software > Security Strategy

Security Strategy

B&Q left door open for DIY hackers

"It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name"

Tags: b&q

Printer Friendly Email Story RSS

By Tony Hallett, Munir Kotadia, Matt Loney

Published: 14 November 2003 18:45 GMT

A major security flaw was exposed this afternoon on the website of UK retailer B&Q, www.diy.com. It allowed a potential hacker relatively easy access to customers' personal details, potentially including credit card numbers.

The flaw, which was discovered by a silicon.com reader, made it possible to log in under accounts of other B&Q customers with little or no technical knowledge. Once logged in, it was possible to view or change the personal details of that customer - including full name, delivery address, phone number and email address. Once access to an account was gained, if the customer had entered their credit card details, it was also possible to order goods on their account.

B&Q customer John Dunbar said he was horrified when told about the security flaw by silicon.com sister site ZDNet UK.

"The thing is you assume that big companies like this have sorted it out and that the security is there," he said. "You don't for a minute think that other people can get access to your details. It's absolutely diabolical - the thought that someone could order on thousands of pounds worth of goods in my name."

According to the security notice on B&Q's website, every online transaction is checked by the company's "fraud control systems" and "in the unlikely event of fraudulent or unauthorised use" the company promises to refund any money received by B&Q but it stipulates that the customer must first notify their credit card company and B&Q directly (0870 0101 006) or through the company's website.

Neil Barrett, security expert and visiting professor at Cranfield University, said B&Q had made a very basic error on its site.

"It's a malformed SQL query. The data from the form [where a password should be entered] should go into a query, from the web server to a back end database. It's the form to query part that is being mishandled," he said. "It's very easy to make those sorts of errors. And very simple to fix."

Matt Louth, head of the technology team at B&Q Direct, said the site was promptly made secure once informed of the weakness by silicon.com.

"We try to protect our customers' interests and we will find a more secure way" for them to log in, he said.

B&Q's website and development is handled in-house.

Matt Loney and Munir Kotadia write for ZDNet UK.

Add Comment Add comment  Printer Friendly Print story with   Email Story Email story  
In
Applications

Operating Systems

SOA/Web Services

Malware

Security Strategy


Reader Comments

Some people are so niave, to believe a 'big compan...
Anonymous

They could also try securing their wireless networ...
Anonymous

The problem is that many large businesses think th...
Anonymous

This is a problem of quality assurance and alpha t...
Antony Booth

'Some people are so niave...' These people are ...
Mike Knowles

Click here to see all

Related Links

Data Protection Commissioner washes hands of Powergen

Surfer uncovers 'millions' of online bank accounts

E-banks told to carry the can for online fraud

Powergen in security scandal - thousands of debit card details open to abuse

Bank Employs SMS Messaging System to Protect Customers From Credit-Card Fraud

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead

Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy

Bletchley Park's World War Two codebreakers in their own words

'You're responsible for your own wi-fi security' say ISPs

'UK must up privacy safeguards following Phorm'

The top 10 technologies you need to plan for next year

Windows 7: Who's adopting it, when and why?


  • Jobs
Business Analyst - Financial

Experience and knowledge of the Credit Card industry. CUSTOMER IMPACT STATEMENT The Technology Division has a Contract role for a Senior Business ...

MI Analyst

Edinburgh thetrainline.com is the leading independent retailer of train tickets online. s Fraud Strategy by and preventing transactions which present ...

RR90921 - Business Analyst (Big Card)

Requirements, Use Cases, Process maps.Experience of business process mapping & designExperience of using Use Cases to structure analysisExperience of ...

Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.

Is Your Enterprise Architected for Tomorrow's Growth?

Improving IT service delivery through an integrated approach to software asset management...

TechRepublic Resource Guide: Software as a Service (SaaS) for Small and Midsize Businesses...

Top 10 DMVs for Easier SQL Server Monitoring

Martin Brokers cashes in on back-up swap

VocaLink makes virtualisation pay

Sony Pictures sets sights on best IT Oscar

Co-op Group kicks "server sprawl" into touch

Arts Council gets tech troubleshooting boost

Torex tech treats Thorntons to quicker sales

Stories from the web...


Windows 7, Snow Leopard, open source and glory for Steve Jobs

Revealed: Your favourite Windows operating system

iPhones under attack from Rick Astley worm

eBay's Skype sale gets green light

Join the silicon.com LinkedIn networking group

Windows 7: Over 200 per cent more popular than Vista




Quick Sitemap Links: