[Owasp-southafrica] credit card information sent over http

Lindsay van Eden lindsay.vaneden at absa.co.za
Wed Aug 20 06:05:15 EDT 2008


Ooooh.. Submitting credit card details, in clear text.. To a hacked website.
This is getting better and better everyday.

Think we should drop a mail to visa/mastercard...



On 2008/08/20 11:54 AM, "Wimpie.DuPlessis at absa.co.za"
<Wimpie.DuPlessis at absa.co.za> wrote:

> Hi,
>  
> I reported this to the company on Monday already and they haven¹t done
> anything about it. I phoned them again this morning and they said it would be
> fixed. Still nothing. So what else can I do to get them to fix the issue?
>  
> Browse to the following website: http://www.theboma.com/bookings_al_shows.htm,
> if you scroll down to the bottom of the form they ask you for, Credit Card
> number, expiry date and CVV number. Now if you look at the source code you see
> the following:
>  
>                 <td height="21" colspan="3"><FORM
> ACTION="http://postmail.datapro.co.za/todistribute.php" METHOD="post"
> target="_blank">
>  
>                                <INPUT TYPE="hidden" NAME="recipient"
> VALUE="maryke at thatsitcom.co.za, barnyard at theboma.com, elsandra at theboma.com">
>  
> So they are submitting it over http to datapro and from there it get¹s mailed
> out. Now the thing that is even scarier is that if you browse to
> http://postmail.datapro.co.za <http://postmail.datapro.co.za/> you will see
> that the website been hacked already. So I wonder how many people have
> actually submitted their details on this site?
>  
> Regards
> Wimpie du Plessis
>  
>  
> ___________________________________________________________
> 
> 
> Important Notice:
> 
> Absa is an Authorised Financial Services Provider and Registered Credit
> Provider, 
> registration number: NCRCP7.
> 
> This e-mail and any files transmitted with it are confidential and intended
> for the use of 
> the individual or entity to whom they are addressed.
> 
> Please note that there are terms and conditions and some important
> restrictions, 
> qualifications and disclaimers ("the Disclaimer") that apply to this email. To
> read this 
> click on the following address or copy into your Internet browser:
> 
> http://www.absa.co.za/disclaimer
> 
> The Disclaimer forms part of the content of this email in terms of
> section 11 of the Electronic Communications and Transactions
> Act, 25 of 2002. 
> 
> If you are unable to access the Disclaimer, send a blank e-mail
> to disclaimer at absa.co.za and we will send you a copy of the
> Disclaimer.
> 
> 
> _______________________________________________
> Owasp-southafrica mailing list
> Owasp-southafrica at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-southafrica
> 
> 
> Lindsay van Eden
> GRCB Information Security
> Barclays PLC ­ ZA Regional Data Centre
> 
> Direct:  +27 11 772 7172
> mailto:  Lindsay.vaneden at absa.co.za
> mailto:  Lindsay.vaneden at barclays.com
> mailto:  GRCBZARegionalDataCentreInformationSecurity at Barclays.com
> 
> 
> OWASP South Africa
> https://www.owasp.org/index.php/South_Africa
> 
> 
> 


___________________________________________________________

Important Notice: 

Absa is an Authorised Financial Services Provider and Registered Credit Provider, 
registration number: NCRCP7.

This e-mail and any files transmitted with it are confidential and intended for the use of 
the individual or entity to whom they are addressed.

Please note that there are terms and conditions and some important restrictions, 
qualifications and disclaimers ("the Disclaimer") that apply to this email. To read this 
click on the following address or copy into your Internet browser: 

http://www.absa.co.za/disclaimer

The Disclaimer forms part of the content of this email in terms of 
section 11 of the Electronic Communications and Transactions 
Act, 25 of 2002. 

If you are unable to access the Disclaimer, send a blank e-mail 
to disclaimer at absa.co.za and we will send you a copy of the 
Disclaimer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-southafrica/attachments/20080820/29a79d39/attachment-0001.html 


More information about the Owasp-southafrica mailing list