[Owasp-southafrica] credit card information sent over http
Alastair "Bell" Turner
aturner at khulisa.com
Wed Aug 20 06:27:06 EDT 2008
I agree that it's very tempting to get someone to come down hard on
them, and whoever supplies their merchant account certainly could hurt
them. A pointer or two in the right direction could also help the matter
to a quick and positive conclusion though.
I would imagine that they've been told that they need to buy all sorts
of expensive 'e-commerce' services from their service provider
(apparently DataPro). Pointing them towards something like VCS's virtual
vendor service may make getting it right seem a lot less intimidating,
and make it seem quickly soluble rather than a long term issue.
And no, I don't work for them.
Now that I've done my 'be nice' pitch for the day ... back to ignoring
my own advice.
On Wed, 2008-08-20 at 12:05 +0200, Lindsay van Eden wrote:
> Ooooh.. Submitting credit card details, in clear text.. To a hacked
> This is getting better and better everyday.
> Think we should drop a mail to visa/mastercard...
> On 2008/08/20 11:54 AM, "Wimpie.DuPlessis at absa.co.za"
> <Wimpie.DuPlessis at absa.co.za> wrote:
> I reported this to the company on Monday already and they
> haven’t done anything about it. I phoned them again this
> morning and they said it would be fixed. Still nothing. So
> what else can I do to get them to fix the issue?
> Browse to the following website:
> http://www.theboma.com/bookings_al_shows.htm, if you scroll
> down to the bottom of the form they ask you for, Credit Card
> number, expiry date and CVV number. Now if you look at the
> source code you see the following:
> <td height="21" colspan="3"><FORM
> METHOD="post" target="_blank">
> <INPUT TYPE="hidden"
> NAME="recipient" VALUE="maryke at thatsitcom.co.za,
> barnyard at theboma.com, elsandra at theboma.com">
> So they are submitting it over http to datapro and from there
> it get’s mailed out. Now the thing that is even scarier is
> that if you browse to http://postmail.datapro.co.za
> <http://postmail.datapro.co.za/> you will see that the website
> been hacked already. So I wonder how many people have actually
> submitted their details on this site?
> Wimpie du Plessis
More information about the Owasp-southafrica