Information Security & US & Life & Love & Fashion & Hacking & Passion

Business-logic flaw in Sears.com Web application could have let hackers brute-force attack the retailer's gift card database

Sep 01, 2009 | 03:49 PM

By Kelly Jackson Higgins
DarkReading

A newly discovered vulnerability on Sears.com could have allowed attackers to raid the retail giant's gift card database.

Alex Firmani, owner of Merge Design and a researcher, this week revealed a major security hole on Sears.com that could allow an attacker to easily steal valid gift cards -- a heist he estimates could be worth millions of dollars. Firmani says he alerted Sears about the flaw, and that Sears has since "plugged" the hole by removing the feature that let customers verify and check their gift-card balances.

The vulnerability was a business logic flaw in a Web application that handles gift card account inquiries; Firmani was able to stage a brute-force attack that could grab all valid, active Sears and Kmart gift cards from the company's database.

Firmani says the site wasn't auditing verification requests, which allowed him to verify gift card and PIN combinations using a homegrown PHP script that automatically submitted the requests. "I wrote a PHP script to hammer their verification server. It happily replied with thousands of verification responses per minute," he says.

The Sears application relied on client-side cookies to halt brute-force verification attempts, which Firmani says wasn't effective. "They should know where the verification requests come from, log them all, and be able to disable the verifications when they have a malicious attack," he says. "It doesn't appear to me that they had any server-side control over how many verifications were done."

Jeremiah Grossman, CTO of WhiteHat Security, says this type of flaw is probably fairly common on retailer Websites. And unlike a cross-site scripting or SQL injection bug, this business logic flaw is different: "It basically lets an attacker defraud Sears.com directly," Grossman says.

Firmani's discovery came on the heels of reports of multiple cross-site scripting (XSS) vulnerabilities on Sears' Web pages that were abused by an attacker to deface the Website.

"I thought this was notable with Sears being a Fortune 50 company," he says. "I have not tested many other large retailers, but I would hope most of them take better care than this. For smaller sites that write their own gift-card verification code, I'd expect just as many are vulnerable."

Firmani, who says he discloses Website flaws to site owners in order to highlight common Web application security issues, suggests that Sears require a valid user account login before allowing a verification request to be sent. "You could then record the number of verification requests and lock out any offending accounts automatically and without relying on client-side cookie," he wrote in his disclosure paper. "Recording requests server-side would be a more reliable way of handling repeat request offenders."

Another option is recording to a server-side database IP addresses of users verifying their gift cards, he said, as well as using a "number-used once" scheme in the verification form or logging all verification requests and using a script to shut down the response server if more than a specifically designated number of requests arrive per minute, he said.

"Security these days is less about what version of Apache you're running and more about custom-written Web applications. With Web apps given unfettered database access, it becomes a simple matter of exploiting less-than-solid Web application programming," Firmani says. "Finding holes in home-brewed Web app code is much easier than exploiting a root-escalation bug on a Linux server, but both often have similar database access."

Are you a spare-bedroom merchant? Time to start reporting sales to the IRS.

Proxy Detection Web Service: Usage from Perl, ASP and PHP

Examples below show how to use the MaxMind Proxy Detection web service API from server-side scripts in Perl, ASP and PHP. These can be adapted for other web services.

Any programming language that supports HTTP client calls should be able to use MaxMind web services.

Perl Example

#!/usr/bin/perl use strict; use LWP::UserAgent; use HTTP::Request qw(GET POST); use HTTP::Headers; # replace this value with license key my $license_key = "LICENSE_KEY_HERE"; my $ua = LWP::UserAgent->new(timeout => 2); my $h = HTTP::Headers->new; $h->content_type('application/x-www-form-urlencoded'); my $request = HTTP::Request->new('POST','https://minfraud3.maxmind.com/app/ipauth_http', $h,"l=$license_key&ipaddr=80.24.24.24"); my $res = $ua->request($request); my $content = $res->content; print "content = $content\n"

Active Server Pages (ASP) Example

Dim objHttp, strQuery strQuery = "https://minfraud3.maxmind.com/app/ipauth_http?l=" & license_key & _ "&ipaddr=" & ipaddress set objHttp = Server.CreateObject("Msxml2.ServerXMLHTTP") objHttp.open "GET", strQuery, false objHttp.send Response.Write objHttp.ResponseText Set objHttp = Nothing

Requirements:

1. ASP 3.0+
2. Microsoft® XML 3.0 Component

Microsoft XML 3.0 Component can be downloaded for free from here. PHP Example

#!/usr/bin/php -q

<?php

$license_key = 'LICENSE_KEY_HERE';

$ipaddress = 'IP_ADDRESS_HERE';

$query = "https://minfraud3.maxmind.com/app/ipauth_http?l=" . $license_key 

  . "&ipaddr=" . $ipaddress;

$score = file_get_contents($query);

echo $score;

?>

(CNET) -- Television as we know is about to change drastically in the U.S. in February when broadcasters switch solely to transmitting digital signals. And even though there are many benefits to this transition, there are also a few downsides.

Here's the lowdown on what you can expect from the new digital TV service, the good, the bad, and the ugly.

First, let's start with the good. On February 17, broadcasters throughout the country will flip a switch turning off their old analog TV transmitters, and they will begin transmitting their TV signals only in digital format. Over 90 percent of TV stations today already broadcast both analog and digital stations, which means that consumers don't have to wait until February to test and tweak their TVs to get digital TV.

For the most part, the switch to digital TV will benefit all Americans, regardless of whether they watch over-the-air TV.

Digital signals use wireless spectrum much more efficiently than analog signals, which is why the government mandated the switch in the first place. Congress set the February 17, 2009, deadline so that the government could free up wasted spectrum so that it could be used to build more robust emergency wireless networks, as well as provide the private sector with more spectrum that could be used to develop new wireless broadband services.

The government has already auctioned off most of the unused spectrum. And after February, service providers who won licenses in those auctions will be able to get to work building their next-generation wireless networks.

For over-the-air TV viewers, the switch to digital also has many benefits, including sharper pictures, better sound quality, and more content. Using analog signals, broadcasters can only transmit one channel of content at a time.

But with digital signals, broadcasters can transmit multiple channels at once. In fact, many broadcasters have already launched three or four separate digital channels, each carrying programming of interest to diverse communities. And because there is more bandwidth available, broadcasters are also transmitting some of these channels in high-definition.

In some cases if consumers have a high-definition TV, they'll even be able to get some HD channels for free. For example, all the major networks--ABC, CBS, Fox, and NBC--transmit some shows over the air in HD. This means that many consumers will be able to access HD content without subscribing to a pricey cable package.

"Digital broadcast will vastly improve free TV viewing," said Graham Jones, the director of communications engineering for the science and technology department of the National Association of Broadcasters. "All the networks are broadcasting in HD, and viewers can receive it for nothing. They don't have to pay a cent. And with modern receivers and antennas, reception is very solid."

Better for many, not all

But with the good, also comes some bad. Unfortunately, not everyone in every corner of the U.S. will experience all the great benefits of digital TV. Because analog signals transmit over longer distances than digital signals, some over-the-air viewers living in rural areas may find that they do not get all the same channels they were able to when they received analog TV.

This scenario is mostly true for people who already receive weak analog TV signals. For example, if someone generally gets a snowy or fuzzy picture using an antenna to receive an analog TV signal, there's a good chance that the viewer won't be able to receive the digital signal at all.

"Some people may have been able to put up with a poor analog signal, because the receiver still received the transmission, albeit in a fuzzy form," Jones said. "But if a digital signal is weak, the receiver can't decode it, and the transmission stops, which means people simply get a blank screen."

This is exactly what happened to some viewers in Wilmington, North Carolina, when the Federal Communications Commission and local broadcasters tested turning off their analog signals earlier this year.

Broadcasters have tried to compensate for this issue by boosting transmission power, but Jones said because digital and analog signals are broadcast at different frequencies it may be difficult to replicate broadcasts exactly, which means some people may be left without some channels they could have received with analog transmissions.

The issues won't be limited to rural consumers. Some city dwellers may also have trouble receiving certain channels. Even though people living in a city such as New York or Chicago will likely be able to receive strong digital broadcast signals, they could fall victim to other issues that preclude them from receiving certain channels further up the dial. The reason is simple. Channels broadcast at higher frequencies don't go around buildings or through walls as easily, and this could disrupt transmission.

Consumers may have to do a little research

But consumers shouldn't throw their hands up in defeat too quickly. With a little investigation and a few extra dollars spent on new equipment, even viewers in some challenging geographies could still receive a good quality digital TV experience.

So what's a consumer to do? First, consumers who rely on over-the-air broadcasts need to determine whether they want to keep their old analog TVs or invest in new digital or high-definition TVs. If a consumer keeps his old analog TV, the government is offering $40 coupons to help defray the cost of buying a digital converter box, which attaches to the TV and costs about $60.

These boxes essentially turn an old TV into one that can view digital signals. If he is already getting a good analog signal, he'll likely be able to keep the same antenna for the digital service. But if he was already getting a poor signal, Jones recommends upgrading to a better antenna.

But Jones also emphasizes that to get the best digital TV experience consumers should buy a new digital or high-definition TV. As of March 1, 2007, all television reception devices, which includes TVs, VCRs, and DVRs, sold in the U.S. have been required by law to contain a digital tuner. And with smaller HDTVs selling for as little as $400 or $500, high definition has also become an affordable feature.

But even with a new digital TV, Jones said that consumers will still need an antenna to receive the over-the-air signals. For help in determining which kind of outdoor antenna you might need, check out AntennaWeb.org. This is a Web site set up by NAB and the Consumer Electronics Association that allows consumers to enter their address and provide details about their immediate surroundings, such as how many trees or tall buildings are nearby, to help determine which type of antenna would be best.

Jones also recommends that before consumers buy a new antenna they try their old one first. Several retailers, including Best Buy, are offering workshops around the country to provide information to consumers. There is also information on the Web site DTVanswers.com.

And Jones suggests that consumers call their local broadcast stations directly to figure out in which direction they should point their antenna for the best reception. Local broadcasters will also be able to provide information about whether consumers are even within range to receive the new digital signal.

"There are some 1,700 broadcasters in the U.S.," Jones said. "The local stations will know better than we will how to help viewers in their specific region. So if people have questions, they should call their local broadcasters. And these broadcasters should be available and able to help them."

Several local stations have already set up hotlines for consumers to call. And broadcasters around the country have been "soft" testing the transition. During these tests, broadcasters turn off their analog signals. If consumers are still trying to view the channel using an analog TV, a screen will pop up where the program had been informing viewers of the deadline and how to get ready for the digital switch.

A bill passed in the U.S. Senate last week that would require some broadcasters to offer this information screen to viewers for 30 days after the February 17 deadline. The measure must still pass the House of Representatives before it becomes law.

But even if it does become law, Jones said that not every broadcaster would be able to continue broadcasting the message over its analog channel, because as of that date, new spectrum holders will have access to those airwaves. Instead, he has been encouraging viewers not to wait until the deadline to test their digital TV readiness.

"Broadcasters are already transmitting digital signals today," he said. "So there's no reason for people to wait until February to make their equipment tweaks and start benefiting from digital."