A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet (zdnet.com)

← Back to Stories (view on slashdot.org)

A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet (zdnet.com)

Posted by msmash on Friday April 28, 2017 @09:20AM from the security-woes dept.

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found. From a report on ZDNet: In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords. Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named. The database was exposed because of the company's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which wasn't protected with a username or password.

6 of 37 comments (clear)

Min score:

Reason:

Sort:

rsync? by Anonymous Coward · 2017-04-28 09:27 · Score: 3, Insightful

Most of us use rsync over SSH with key auth, which means something like RSA-2048 or 4096, or ED25519 (elliptic curve crypto, about the same security as AES-128). It is not even password-based.
So, no, it was not rsync use that left things open. It was just incompetence.
1. Re:rsync? by DaHat · 2017-04-28 09:35 · Score: 4, Interesting
  
  I see your problem...
  
  Most of us use rsync over SSH with key auth
  Far too often, it is easy to turn off/on other features of a product which make it less secure, all in the effort to just make it work. Once that's all done, there isn't always a careful examination of what the other implications of their other fiddling is.
  I'd be very curious to which which other companies/contractors were involved in this setup, as they and their other customers should probably be thinking about a PCI security audit.
  
  --
  Help Brendan pay off his student loans
Old story is Old by sizzlinkitty · 2017-04-28 09:59 · Score: 5, Informative

MacKeeper broke this story late November 2016 - https://mackeeper.com/blog/pos...
Re:By "synchronize", you mean "backup" by MtHuurne · 2017-04-28 10:03 · Score: 3, Informative

I've never heard of rsync mangling data in transit. Are you sure it's not a case of corruption when trying to back up a file while it is being written to? That could happen if you don't create a snapshot of live data, but it's not a problem specific to rsync.
PCI Failure at all levels by omnichad · 2017-04-28 10:05 · Score: 5, Insightful

Even storing credit card data at all (instead of processor authorization tokens) is a huge red flag unless they want a mountain worth of additional compliance work.
And then they store it unencrytped....
Re:unhashed passwords, unencrypted card numbers by ls671 · 2017-04-28 11:31 · Score: 4, Funny

I can see all the passwords on my linux system in /etc/shadow:
joe:$6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1:17275:0:99999:7:::
see? The password for joe is:
$6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1

--
Everything I write is lies, read between the lines.