Technology

O'Reilly Leaks Geeks' Info


Call it a case of "do what we say, not what we do." Hardcore geek publishing

house O'Reilly & Associates recently exposed their database of

approximately 100,000 online users to outsiders, courtesy of a Web coding

slip-up that their techie customer base might scoff at.

O'Reilly's main Web site, as well as connected sites like Perl.com and

XML.com, offer visitors free password-protected accounts for posting

comments and subscribing to the publisher's e-mail lists.

Until Monday, clicking on a link for reviewing and changing your user

profile would land you at a URL of the form

www.oreillynet.com/cs/user/edit/u/66848.

It turns out the number at the end is a sequentially-assigned user I.D., and

by simply substituting other numbers one could browse or modify other

people's profiles. The profiles include full name and email addresses, and,

more rarely, physical mailing address, employer, title and phone number.

No credit card numbers or purchase histories were revealed through the

gaffe, but the publisher of titles like "Computer Security Basics" and "Web

Security, Privacy & Commerce" -- as well as the standard texts on PERL and

CGI programming -- should consider giving free copies to their Web

development team, suggests 19-year-old Jeremiah Jacks, the coder who

discovered the flaw and reported it to O'Reilly.

"It kind of goes to show that just because they preach about writing secure

code, it doesn't mean the people behind the site are writing secure code"

says Jacks, a computer security consultant with Point Blank Security.

Jacks has a knack for bird-dogging Web security blunders -- last March

fashion retailer Guess closed a hole he discovered that made customer credit card numbers

accessible from the Web. He credits O'Reilly with plugging their leak

quickly Monday. "They added code that checks to see if you have rights to

view the profile," says Jacks.

The company couldn't answer how long the hole had been in place. "As far as

we know, no one but Jeremiah was able to get in," says spokesperson Lisa

Mann. By Kevin Poulsen


We Almost Lost the Nasdaq
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus