[Owasp-southafrica] credit card information sent over http

Alastair "Bell" Turner aturner at khulisa.com
Wed Aug 20 06:27:06 EDT 2008


I agree that it's very tempting to get someone to come down hard on
them, and whoever supplies their merchant account certainly could hurt
them. A pointer or two in the right direction could also help the matter
to a quick and positive conclusion though.

I would imagine that they've been told that they need to buy all sorts
of expensive 'e-commerce' services from their service provider
(apparently DataPro). Pointing them towards something like VCS's virtual
vendor service may make getting it right seem a lot less intimidating,
and make it seem quickly soluble rather than a long term issue.

And no, I don't work for them.

Now that I've done my 'be nice' pitch for the day ... back to ignoring
my own advice.

Bell.

On Wed, 2008-08-20 at 12:05 +0200, Lindsay van Eden wrote:
> Ooooh.. Submitting credit card details, in clear text.. To a hacked
> website.
> This is getting better and better everyday.
> 
> Think we should drop a mail to visa/mastercard...  
> 

> 
> On 2008/08/20 11:54 AM, "Wimpie.DuPlessis at absa.co.za"
> <Wimpie.DuPlessis at absa.co.za> wrote:
> 
>         Hi,
>          
>         I reported this to the company on Monday already and they
>         haven’t done anything about it. I phoned them again this
>         morning and they said it would be fixed. Still nothing. So
>         what else can I do to get them to fix the issue?
>          
>         Browse to the following website:
>         http://www.theboma.com/bookings_al_shows.htm, if you scroll
>         down to the bottom of the form they ask you for, Credit Card
>         number, expiry date and CVV number. Now if you look at the
>         source code you see the following:
>          
>                        <td height="21" colspan="3"><FORM
>         ACTION="http://postmail.datapro.co.za/todistribute.php"
>         METHOD="post" target="_blank">
>          
>                                        <INPUT TYPE="hidden"
>         NAME="recipient" VALUE="maryke at thatsitcom.co.za,
>         barnyard at theboma.com, elsandra at theboma.com">
>         
>         So they are submitting it over http to datapro and from there
>         it get’s mailed out. Now the thing that is even scarier is
>         that if you browse to http://postmail.datapro.co.za
>         <http://postmail.datapro.co.za/> you will see that the website
>         been hacked already. So I wonder how many people have actually
>         submitted their details on this site?
>          
>         Regards
>         Wimpie du Plessis
>          




More information about the Owasp-southafrica mailing list