That Sears website exploit we posted about a couple of weeks ago was funny, mainly because it seemed more embarrassing for Sears than a true security risk. However, an independent security researcher had also discovered a more significant issue with the site—it allowed for an unlimited number of gift card verification attempts via an external script, so a criminal could use the site as a brute force method to identify valid gift cards for Sears and Kmart.
Alex Firmani alerted Sears about the gift card exploit before the XSS exploit we mentioned above ever made it to the blogosphere,
but they ignored him and while they called him back to discuss the matter, they didn’t fix the problem:
On first reporting this to a company representative, the response from Sears was polite but they didn’t take it as a pressing issue requiring a 0-day fix. Even after last week when Sears was reported first on Reddit, then FoxNews, TMZ, and the Consumerist to have easily exploitable XSS security holes all over their web properties, three days went by and I could still verify as many gift cards as I liked. And this is the same Sears.com that is authorized by MasterCard and Visa to store consumer’s credit card numbers in their database!
After I copied a short report of my findings to a few Executive VP emails at Sears Holdings, the next day, all online gift card verification scripts were taken offline.
There’s some debate over at Reddit whether the gift card exploit could reasonably be used to a criminal’s advantage, but what we’re surprised about is how a company as big as Sears would leave themselves open like this—even after being privately alerted about the issue.
A DarkReading article on the exploit quotes WhiteHatSecurity CTO Jeremiah Grossman saying that this is probably a fairly common security flaw on e-commerce sites. Firmani makes a point of urging other retailers to practice better security hygiene:
Responsible website owners MUST implement security measures on the server-side to prevent continual tries at gift card verification. Sears.com used cookies and relied on browser and user honesty to report those cookies back if they had tried and failed with more than three gift card numbers. You can never, ever rely on client-side cookies as a method of security for anything. Optimally you should require a site user account before they can verify a gift card number so you could then lock out accounts and use your overall account security strategy as a method to prevent numerous verifications. And you should have a self-termination routine on the verification scripts so they shut off if too many requests are received.
“Fortune 50 retailer Sears.com fails the most basic of security tests” [WebSecurity] (Thanks to jeremiahg, keith55, and theharmonyguy)
“Flaw In Sears Website Left Database Open To Attack” [DR]