[24830] in bugtraq
secureinc.com Vulnerability
daemon@ATHENA.MIT.EDU (Jason Giglio)
Mon Mar 25 23:35:38 2002
Date: Sat, 23 Mar 2002 14:50:59 -0500
From: Jason Giglio <jgiglio@netmar.com>
To: bugtraq@securityfocus.com
Message-Id: <20020323145059.5c71d946.jgiglio@netmar.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
This is a minor vulnerability involving any e-commerce site that uses secure.secureinc.com as their credit card processing server.
After order information is submitted, the server attempts to set a cookie that includes all form information, including billing and shipping name, address and phone number. Credit card information is not included. This information is stored in plaintext on the user's computer, without any notice, or way to opt out.
Vendor notification:
None- Vulnerability minor, and www.secureinc.com does not have any contact information on it, or anything much for that matter. I discovered this after placing an order with a company that uses secureinc.com as their credit card processor.
Workaround:
Reject this cookie from secure.secureinc.com, as it is not necessary for processing your orders.
