 |
|
| technology > computing |
![[CNN Money]](http://i.cnn.net/cnn/images/main/fn.logo.newsnet.gif){kind=logo}
![[SI.com]](http://i.cnn.net/cnn/images/main/si.logo.gif){kind=logo}
( | |
 |
|
| |
| |
EDITIONS: | |
MULTIMEDIA: | |
E-MAIL: |
Subscribe to one of our news e-mail lists. Enter your address: |
DISCUSSION: |
CNN WEB SITES: |
 |
TIME INC. SITES: |
CNN NETWORKS: |
|
SITE INFO: |
WEB SERVICES: |
MindSpring site exposes some password files
|
(IDG) -- An unpatched, buggy version of open-source e-commerce software, combined with a misconfigured hosting server, exposed password files earlier this month for approximately 100 domains hosted by Atlanta-based EarthLink Inc.
The chain of events included the discovery of a 2-year-old security flaw and the exposure of password lists for all customers on two MindSpring Enterprises Inc. servers. The situation illustrates some of the potential perils of failing to register e-commerce software with vendors that issue security and other upgrade advisories.
| MORE COMPUTING INTELLIGENCE |
IDG.net home page
|
| Computerworld's home page |
| Net attacks to plague small and midsize firms |
| International cyberlaw takes center stage |
| Password protection problems in Windows products |
| Reviews & in-depth info at IDG.net |
| E-BusinessWorld |
| TechInformer |
| Questions about computers? Let IDG.net's editors help you |
| Subscribe to IDG.net's free daily newsletter for IT leaders |
|
Search IDG.net in 12 languages |
| News Radio |
Fusion audio primers
|
|
Computerworld Minute
|
A Web search by an affected customer has uncovered potentially thousands of e-commerce sites that haven't applied the patch.
The problem started two years ago, when Web Store software created by Singapore-based Extropia.com was upgraded to fix a security flaw and users were sent an advisory with a patch.
Three years earlier, A Dog Owner's Network had a custom implementation of the open-source software installed. But the Lake Arrowhead, Calif.-based e-commerce site never registered with Extropia to receive the patch.
A student reportedly discovered that the dog owner's site (www.adognet.com) was vulnerable and told Atlanta-based MindSpring on Oct. 10. That led to the discovery that a misconfiguration on the site's MindSpring hosting service, owned by EarthLink, allowed attackers to view the password lists of other sites hosted on the same servers.
Cris Alarcon, an information technology administrator at aDogNet.com, said his staff created their own patch for the 7-year-old software as soon as they learned of the bug. Alarcon said he later conducted a Web search for other companies that used Web Store and turned up 2,500 users, half of whom appear not to have downloaded the patch.
"It's natural to open source that you are going to get a broad distribution of the program, but there are many unregistered versions that are not privy to updates," said Alarcon. "Since many of these companies have smaller sites, they are less likely to have a technical department that keeps up on data security issues."
Alarcon said that his company doesn't keep any sensitive customer data or credit-card numbers on the hosted server, and that only low-level passwords were exposed.
According to Alarcon, the most disturbing part of the incident was that any hosted site on MindSpring would theoretically read about the vulnerability, download the flawed software and get passwords from other sites.
Dave Flammia, director of Web-hosting support at EarthLink, acknowledged that other sites hosted on the same servers as aDogNet.com did have their password files exposed. "They could cut and paste it from the Web," he said.
But Flammia said he had no knowledge of MindSpring being alerted to the problem prior to Oct. 17. He added that that MindSpring changed its server configurations on the evening of Oct. 18 to make sure that password files weren't exposed.
Flammia said the vulnerability affected Sun Solaris servers that hosted only "a handful" of customers - perhaps fewer than 100. He said MindSpring had contacted affected customers and asked them to change passwords.
"We asked them to change them to something harder to crack, so that a simple dictionary program couldn't crack it," Flammia said.
RELATED STORIES:
FAA suspends software upgrades following California computer glitches
October 24, 2000
Software glitch grounds flights in L.A.
October 23, 2000
Glitch temporarily exposes some Buy.com customer data
October 17, 2000
Tech glitch brings Napster down
October 4, 2000
Glitch at Amazon.com exposes e-mail addresses
September 8, 2000
RELATED IDG.net STORIES:
Companies fight back against Internet attacks
(Computerworld)
Buying security
(NW Fusion)
SDMI cracked? Academics say yes, SDMI says no
(IDG.net)
Symantec offers Web-based PC checkups
(PC World)
Password protection problems in Windows products
(InfoWorld)
Variant of 'I Love You' virus attacks
(IDG.net)
International cyberlaw takes center stage
(Computerworld)
Net attacks to plague small and midsize firms
(NW Fusion)
RELATED SITES:
EarthLink
aDogNet
eXtropia
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.