[23223] in bugtraq
WebFree E-Commerce "Secure Data" Is Not Secure
daemon@ATHENA.MIT.EDU (Jonathan G. Lampe)
Wed Nov 21 21:14:46 2001
Message-Id: <5.1.0.14.0.20011121170112.02a1f450@mail.stdnet.com>
Date: Wed, 21 Nov 2001 17:52:17 -0600
To: bugtraq@securityfocus.com
From: "Jonathan G. Lampe" <jonathan@stdnet.com>
Cc: schneier@counterpane.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
On its WebFree home page ("Smartest way to sell on the Internet"),
checksnet.com (aka Glenn Welt Studios) says WebFree offers "* 100% secure
data for you and your customer ... not 1 theft reported since 1995".
The "secure data" part isn't true, and I get the feeling they had to stick
the "reported" piece in there to satisfy some kind of "what you don't know
can't hurt you" clause.
WebFree offers a service which entices people to type in information about
their personal checking account so WebFree customers can initiate
"check-like" payments through the usual check clearinghouse forum we all
know and love. Nothing unusual so far.
However the service relies on a form and some Javascript WebFree customers
must place on their own web sites and ALL transactions are sent IN THE
CLEAR to a central server ("http://www.checksnet.com/cgi-bin/autocsv.pl").
Most shocking perhaps is that the WebFree form appears to base its claim of
secure data transfer on its use of an ENCTYPE="x-www-form-encoded"
attribute in the form tag. I can't tell if the author of WebFree is being
stupid or intentionally deceptive, but this is probably not the "secure
transport" you would want to use to submit your checking account
information across the Internet.
(I kind of doubt this one affects anyone with a serious e-commerce site,
but you may want to let your grandmother, your brother-in-law and the guy
down the street who "just set up a web store" know about this one and
remind them to "look under the hood" before investing in or giving their
personal information out to cut-rate e-commerce clowns!)
* * * HISTORY
I "found" this site as I was reading through some back issues of Bruce
Schneier's "Crypto-Gram" newsletter.
(http://www.counterpane.com/crypto-gram-9906.html) Since the "DogHouse"
mention of this site came out way back in June 1999, I wondered what the
site owner had done to improve security since Bruce's visit and clicked it
up. The surprising answer: not a damn thing!
I sent the following note to the email address listed on checksnet.com's
site: (glennwelt@netzero.net)
> It appears a form on your site is both available without SSL and submits
> its results without SSL.
>
> (http://www.checksnet.com/order.htm)
>
> In other words any information anyone submits from this form is passed
> through the Internet in the clear for anyone to see. You may want to
> install a certificate (from Verisign or Thawte) on this server to fix this
> problem.
Here was the official company reply: (in full from Glenn Welt Studios)
> Considering we've NEVER lost an order in 7 years nor
> have any of our customers who use the same HTML,
> I'm happy just the way it is.
* * * EXCEPT FROM ORIGINAL SOURCE, CITATION
"The Other Doghouse: ChecksNet
You too can send your bank account name and routing information in the
clear over the net. Order your checks from these people. Their Web page
clearly states: "ChecksNet protects your personal and bank account
information from theft or misuse by encoding and scrambling the data as it
is transmitted from this website to us." However, the order form is sent in
the clear; they don't use SSL."
Bruce Schneier, June 15, 1999
http://www.counterpane.com/crypto-gram-9906.html
* * * LINKS
http://www.checksnet.com/webfreed.htm
http://www.checksnet.com/order.htm
- Jonathan Lampe
- jonathan@stdnet.com
