A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet (zdnet.com)

← Back to Stories (view on slashdot.org)

A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet (zdnet.com)

Posted by msmash on Friday April 28, 2017 @09:20AM from the security-woes dept.

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found. From a report on ZDNet: In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords. Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named. The database was exposed because of the company's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which wasn't protected with a username or password.

8 of 37 comments (clear)

Min score:

Reason:

Sort:

rsync? by Anonymous Coward · 2017-04-28 09:27 · Score: 3, Insightful

Most of us use rsync over SSH with key auth, which means something like RSA-2048 or 4096, or ED25519 (elliptic curve crypto, about the same security as AES-128). It is not even password-based.
So, no, it was not rsync use that left things open. It was just incompetence.
1. Re:rsync? by DaHat · 2017-04-28 09:35 · Score: 4, Interesting
  
  I see your problem...
  
  Most of us use rsync over SSH with key auth
  Far too often, it is easy to turn off/on other features of a product which make it less secure, all in the effort to just make it work. Once that's all done, there isn't always a careful examination of what the other implications of their other fiddling is.
  I'd be very curious to which which other companies/contractors were involved in this setup, as they and their other customers should probably be thinking about a PCI security audit.
  
  --
  Help Brendan pay off his student loans
Old story is Old by sizzlinkitty · 2017-04-28 09:59 · Score: 5, Informative

MacKeeper broke this story late November 2016 - https://mackeeper.com/blog/pos...
Re:By "synchronize", you mean "backup" by MtHuurne · 2017-04-28 10:03 · Score: 3, Informative

I've never heard of rsync mangling data in transit. Are you sure it's not a case of corruption when trying to back up a file while it is being written to? That could happen if you don't create a snapshot of live data, but it's not a problem specific to rsync.
PCI Failure at all levels by omnichad · 2017-04-28 10:05 · Score: 5, Insightful

Even storing credit card data at all (instead of processor authorization tokens) is a huge red flag unless they want a mountain worth of additional compliance work.
And then they store it unencrytped....
Laws that protect customer data by Anonymous Coward · 2017-04-28 10:06 · Score: 2, Insightful

Aren't there laws that require companies to protect customer data? There certainly should be.
Re:By "synchronize", you mean "backup" by ls671 · 2017-04-28 11:24 · Score: 2

It's also an incredibly insecure protocol unless you use a SSH tunnel. Most people don't seem to bother with tunneling rsync via SSH either.
No need for an shh tunnel (e.g. ssh -L:port:target:port)
Just tell rsync to use ssh like this:
RSYNC_RSH='ssh -x -l root '
export RSYNC_RSH
then
rsync -a host:/targetdir .
about mangling the data: you obviously must be doing something wrong. I never had such problems...

--
Everything I write is lies, read between the lines.
Re:unhashed passwords, unencrypted card numbers by ls671 · 2017-04-28 11:31 · Score: 4, Funny

I can see all the passwords on my linux system in /etc/shadow:
joe:$6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1:17275:0:99999:7:::
see? The password for joe is:
$6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1

--
Everything I write is lies, read between the lines.