[Owasp-southafrica] credit card information sent over http

Wimpie.DuPlessis at absa.co.za Wimpie.DuPlessis at absa.co.za
Wed Aug 20 05:54:13 EDT 2008


Hi,

 

I reported this to the company on Monday already and they haven't done
anything about it. I phoned them again this morning and they said it
would be fixed. Still nothing. So what else can I do to get them to fix
the issue?

 

Browse to the following website:
http://www.theboma.com/bookings_al_shows.htm, if you scroll down to the
bottom of the form they ask you for, Credit Card number, expiry date and
CVV number. Now if you look at the source code you see the following:

 

                <td height="21" colspan="3"><FORM
ACTION="http://postmail.datapro.co.za/todistribute.php" METHOD="post"
target="_blank">
 
                               <INPUT TYPE="hidden" NAME="recipient"
VALUE="maryke at thatsitcom.co.za, barnyard at theboma.com,
elsandra at theboma.com">

 

So they are submitting it over http to datapro and from there it get's
mailed out. Now the thing that is even scarier is that if you browse to
http://postmail.datapro.co.za <http://postmail.datapro.co.za/>  you will
see that the website been hacked already. So I wonder how many people
have actually submitted their details on this site?

 

Regards

Wimpie du Plessis

 

 


___________________________________________________________


Important Notice: 

Absa is an Authorised Financial Services Provider and Registered Credit Provider, 
registration number: NCRCP7.

This e-mail and any files transmitted with it are confidential and intended for the use of 
the individual or entity to whom they are addressed.

Please note that there are terms and conditions and some important restrictions, 
qualifications and disclaimers ("the Disclaimer") that apply to this email. To read this 
click on the following address or copy into your Internet browser: 

http://www.absa.co.za/disclaimer

The Disclaimer forms part of the content of this email in terms of 
section 11 of the Electronic Communications and Transactions 
Act, 25 of 2002. 

If you are unable to access the Disclaimer, send a blank e-mail 
to disclaimer at absa.co.za and we will send you a copy of the 
Disclaimer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-southafrica/attachments/20080820/94a2cccd/attachment.html 


More information about the Owasp-southafrica mailing list